Cross-site scripting vulnerabilities and risks they pose

Edward G. | June 19, 2020

Cross-site scripting (or XSS) is a sneaky invasion that turns benign and reliable websites into malware transmitters. Typically, hackers exploit flaws to inject malicious code into web applications. The vulnerabilities can reside anywhere within the source code of the application, including databases, client-side, and server-side.

However, malicious actors perform cross-site scripting to target the user communities, not the websites themselves. Crooks are after credentials and other valuable data. Also, they can use the detected loopholes to sneak keyloggers or other intrusive parasites into devices.

What is cross-site scripting?

Cross-site scripting is a persistent and highly-damaging attack that can lead to loss of sensitive data. Once aggressors manage to inject malicious code into websites, they can steal session cookies and extort other sensitive details. Usually, attackers compromise websites with JavaScript lines, but the added scripts can also be related to HTML, Flash, ActiveX, or others.

For some, cross-site scripting is a curious name for the attack. The term originates from the procedure of opening a modified version of the vulnerable web application. Unknown sources incorporate additional lines of JavaScript to perform malicious acts. Later on, this term evolved to include comparable attacks when crooks make alterations not related to JavaScript.

Reflected XSS

This type of cross-site scripting refers to one-off ventures that occur during the victims’ requests. A typical route for the malicious code to enter is through the improperly sanitized requests. Such security gaps appear during the communication between the web client and the server-side scripts. In short, the reflected cross-site scripting indicates a temporary modification of source code to feature a malicious script.

We can refer to a website’s search engine for illustrating this type of cross-site scripting. Hackers can modify the response from the web server to show a malware-ridden pop-up, error message, or suspicious link among the presented results. Then, since the message or URL is on the trustworthy website, users might click on them willingly. Sadly, that action might cost your privacy or security.

Persistent XSS (or stored XSS)

Such attacks are not as common, but highly pervasive and more devastating than temporary injections of malicious code. As indicated by its name, persistent cross-site scripting manages to save its unique chunk of code to the web server. The aftermath of such invasive strategies makes it possible for the attackers’ input to be shown permanently on the affected site. So, hackers can set the malicious code and wait for the results.

To simplify this attack, let’s discuss a situation when this variant of cross-site scripting can occur. Let’s say that a specific website requires users’ emails for the login process. However, other members of the service have no way of knowing each other’s email addresses. Snoopy attackers might alter their profiles to feature a script, designed to read the data users provide during registration. So, anytime unsuspecting users visit the modified profiles, their data immediately ends up in hackers’ hands.

DOM-based XSS

The reflected and persistent cross-site scripting attacks rely on the server-side. However, DOM-based XSS breaks the rules and wreaks havoc on the client-side code. Instead of incorporating malicious scripts as a part of the page, this type of attack focuses on manipulating the user input to add HTML. The web application regards the addition as innerHTML and executes it with the rest of the source script. Even if the server-side is immune to cross-site scripting, the client-side can be the weak link in the application.

What are the risks of XSS?

Account takeover. The injection of malicious code can lead to account hijacking. It means that attackers can impersonate people and operate from their accounts on their behalf.
Stolen credentials. By cloning the login page of a reputable website, hackers can trick people into revealing their credentials. After a successful harvest, they can implement other attacks, such as credential stuffing.
Unsolicited disclosure of sensitive information. Cross-site scripting can allow hackers to steal various types of information. Crooks can even harvest users’ financial details or trick them into making transactions to suspicious accounts.
Drive-by downloads. Some cross-site scripting vulnerabilities can open doors to dropping payloads of malicious programs disguised as updates.

Can you prevent cross-site scripting?

The immunity against cross-site scripting mostly rests on developers’ shoulders. They are the ones that need to address the prevalent web vulnerabilities and perform regular penetration tests. However, there are some simple rules that cautious netizens should always follow:

Modern browsers have integrated security features to protect users from the influence of cross-site scripting. If you use an older version, make sure to update your browser to get the full security package.
If you know your way around checking code, you can run a quick test via Chrome DevTools (or other tools). While this routine might be too time-consuming for every website, perform it after noticing suspicious web elements.
Pay attention to URLs. If you notice that a link leads to an unrelated site, make sure to avoid it.
Some VPNs have additional features to protect you from potentially malicious websites. With Atlas VPN, you get SafeBrowse: it warns you about web applications that might be suspicious and somewhat dangerous.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.

Tags:

vulnerabilities