In this article, we will discuss what cross-site scripting attack is and its types.
What Is Cross-Site Scripting Attack
Cross-site scripting attack is done on web applications in which malicious scripts are injected on trusted websites by attackers, in order to perform malicious actions. In this, malicious code is injected in the browser, which affects users. Another name cross-site scripting is XSS attack. It is known as ‘XSS’ and not ‘CSS’ because in web designing we have a cascading style sheet (CSS), so, in order to avoid any confusion cross-site scripting is called ‘XSS’.
This attack takes place when web applications perform a script that is supplied to the end user by an attacker. The weakness can be found anyplace in an application, where user input has not been properly encoded. Without the input being properly encoded and sanitized, users will receive these injected malicious scripts. A browser will have no way of knowing that it should not trust a script. When a script is executed by the browser, there is a malicious action performed on the client’s side. Usually, XSS is used to steal session tokens and cookies of a valid user to execute session hijacking.
Types of Cross-site Scripting Attack
Following are the three types in which most of the experts categorize XSS persistent XSS, non-persistent XSS and DOM-based XSS.
Persistent cross-site scripting attack
This is also known as stored cross-site scripting. This takes place when XSS vectors are gathered in the website database and it becomes functional when a page is opened by the user. Any time the user opens the browser, the script becomes functional.
Non-Persistent Cross-site scripting attack
Non-persistent XSS is also called reflected cross-site vulnerability. This is the most common kind of XSS. In this attack, the attacker injects data which gets reflected in response.
DOM-based cross-site scripting attack
DOM-based XSS is also known as “type-0 XSS”. This takes place when the XSS vector executes on a website, as a result of DOM modification.
Cross-site scripting is one of the most crucial website vulnerabilities, as it can be used in different ways to harm website users. In order to make a hard-to-crack XSS filter, one should study most of the accessible XSS vectors. Analyzing them and coding the functions to understand the attack pattern is the way to block the attack.
Reasons for the Occurrence of Cross-Site Scripting
The main reason for cross-site scripting attacks is that developers think that users will never act irresponsibly or perform an action which is wrong. Because of this reason, developers create applications without making any extra efforts to filter user input, which blocks malicious activities. Another important reason is that this attack has lot of variants. At times, even if an application tries to filter malicious scripts, it gets confused and permits the script. Thus, we can see distinct XSS vectors, which are capable of avoiding most of the available XSS filters.
How to Build a Good XSS Filter, Which Blocks Most XSS Vectors
Even though we can never have a perfect XSS filter, we can try and make a filter, which filters popular XSS vectors easily.
Following are some basic filters that can be created:
A simple rule to follow is that every datum given by a user should be encoded. If data is not provided by a user and is supplied through GET parameter, these data can be encoded too. XSS vectors can be present even in a POST form. So, each time you use a variable value on a website, try checking for XSS.
- Following data should be properly sanitized prior to being used on your website.
- The URL
- GET parameters from a form
- HTTP referrer objects
- POST parameters from a form
- headers data
- cookie data
- database data, if not properly validated on user input
Firstly, encode all <, >, ‘ and “. This must be the primary step of your XSS filter. Encoding is mentioned below:
- & –> &
- < –> <
- > –> >
- ” –> "
- ‘ –> '
- / –> /
For this, you can use the htmlspecialchars() function in PHP, as it encodes all HTML tags and special characters.
1 $input = htmlspecialchars($input, ENT_QUOTES);
If the $input was= “>(script)alert(1)(/script)
This function would turn it into "><script>prompt(1)</script>
This line will also help if an encoded value is used anywhere after being decoded.
$input = str_replace(array(‘&’,’<’,’>’), array(‘&’,’<’,’>’), $input);
HTML characters may be used by a vector, so these should also be filtered. Following rule should be added:
$input= preg_replace(‘/(&#*w+)[x00-x20]+;/u’, ‘$1;’, $data);
$data = preg_replace(‘/(&#x*[0-9A-F]+);*/iu’, ‘$1;’, $input);
But, along with these you also need to think of other possibilities and add other things, which makes the filter stronger.