This is an article in a series on Web Application Vulnerability Basics.
What Is Cross-Site Scripting?
How does XSS Work?
For a cross-site scripting attack against a web application to be successful, two conditions that must be met. (1)The web application needs to accept some form of user input. This is usually data being passed in a web request, which the web app does not validate correctly. Then, (2) this data is included, without proper sanitization on the response back to the user’s browser where the attack is then triggered.
There are two types of cross-site scripting attacks, Reflected XSS and Stored XSS.
A reflected XSS attack has no persistence and requires an attacker to trick the victim into submitting a malicious request themselves. Because of this, a reflected attack is less severe than a stored XSS attack due to the limited scope. However, a reflected XSS vulnerability is usually easier to find than a stored XSS vulnerability.
The scope of a stored XSS attack are vast. Anyone visiting a page with an injected XSS payload could have their accounts compromised, data stolen, session hijacked, and more. Stored XSS attacks can lead to a full compromise of the web application if an administrator’s credentials are stolen. This attack could also be paired with Cross-Site Request Forgery to perform actions on behalf of victim without their knowledge.
XSS Mitigation Techniques
There are a few mitigation techniques that can be utilized to prevent XSS attacks. These techniques are simple but effective, and mainly focus on sanitizing and validating user input.
- Restrict and validate user input wherever possible
- If markup is handled by web application (uses similar characters to HTML), use a HTML sanitization library
- Implement a strict Content Security Policy to limit scope of a successful XSS attack
Protecting against XSS attacks is crucial to maintaining a secure web application. Keep XSS attacks in mind while developing and maintaining web applications and verify that XSS mitigation strategies are working as intended.
by: Jessica Turner
Information Assurance Team Member at NuHarbor Security
Follow us on Social Media for more information: