Modee's Blog

Cross Site Scripting (XSS)

Omodeni Dolapo's photo
Omodeni Dolapo
·

2 min read

What is cross site scripting?

Cross site scripting otherwise known as XSS occurs when malicious scripts are being injected into an otherwise trusted website. It is an attack in which it's ultimate purpose is to inject HTML (also known as HTML injection) or run code (JavaScript) in a user's web browser.

XSS is considered an attack against the user of a vulnerable website.

Cross site scripting attacks are possible when the user input is used somewhere on the web application output. This let's an attacker get control over the content rendered to the application users, this attacking the users themselves.

Cross site scripting can be used to achieve many goals. Some examples are:

  • Cookie stealing *Getting complete control over a browser.
  • Initiating an exploitation phase against browser plugins first and then the machine.
  • Perform keylogging.

How XSS exploitation works Hacker's Goal: Run JavaScript to steal a session cookie of user X who is authenticated (logged in) on website Y.

First: The hacker tries to find an XSS vulnerability affecting the website.

Second: Once a XSS exploit is located, he will have to:

  • build a payload
  • create a link
  • send it to the victim inviting the same person to click on it.

We have three types of XSS, which are;

  • Reflected XSS
  • Stored XSS

  • DOM XSS

  • Reflected XSS : This occurs when untrusted user data is sent to a web application and is immediately echoed back as untrusted content. Then as usual, the browser receives the code from the web server and responds to it.

  • Stored XSS: It is quite similar to Reflected XSS but rather than the malicious input being directly reflected in the response, it is stored within the web application. Once this occurs, it is then echoed somewhere else within the web application and may be available to all visitors.

  • DOM XSS: It is a form of cross site scripting that exists only within the client side code (typically JavaScript). The vulnerability lives within the DOM environment, thus within a page's client side script itself and does not reach Server-Side code.

Mitigating a cross site scripting is about implementing two layers

  • Input validation : to filter the attack vectors as much as possible.
  • Context-aware output encoding : to correctly and safely render user's content on the web application pages.
#cybersecurityApplication SecurityinfosecDevSecOps