Almost every day we hear or read about the eCommerce sites losing customer credit card data or other critical operational data. The companies lose critical information such as credit cards data, patient health records, and social security numbers to the hackers due to vulnerabilities in their customer facing web applications. While it may be impossible to guarantee the perfect safety, but by understanding how web vulnerabilities get exploited, you can make it extremely hard for hackers to attack your web applications. In this article, we discuss some techniques to protect your web applications.
While hackers use a variety to attacking techniques to attack the web sites, the Cross Site Scripting (also known as XSS or CSS) is one of the most common application layer hacking techniques. The web developers who put the web applications together either lack the understanding of the security threats, or do not have enough time/ resources to do proper code reviews of the large code base resulting in vulnerable application code. Despite it being a popular application layer attack technique, XSS still remains the most common security vulnerability in web applications today. As a matter of fact, today’s news came that a very popular Fancybox WordPress plugin used by thousands is vulnerable to XSS attack.
XSS flaws are quite difficult to fully remove from a large app even with the modern test tools. XSS vulnerabilities can have consequences such as tampering and sensitive data theft. Therefore, understanding XSS or CSS (not to be confused with css used for styling HTML), how it works is fundamental to avoiding such breach of data.
So what is a Cross-Site Scripting Attack?
You would think that a hacker will have to break the server to install the malicious script on a good site. That is not often required since a malicious script or a link to a malicious can be embedded simply by filling some user forms. For example, on a forum web site a hacker can add a link in a comment. And when other user reads the comment, he will be unknowingly running the malicious script.
XSS vulnerabilities may occur if:
- Input coming into Web applications is not validated before storing them in any database
- Output to the browser is not HTML encoded
Types of XSS Attacks
XSS attacks can generally be categorized into three categories: stored, reflected and DOM based XSS attack.
1. Stored or Persistent XSS Attacks
Stored or persistent attacks are those where the injected malicious script is permanently stored on the target servers. This can be stored such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. A persistent script is often embedded using many clever techniques under various HTML tags to mask the harmful nature of the malicious script.
2. Reflected or Non-Persistent XSS Attacks
Reflected or Non-Persistent attacks are those where the injected malicious script is reflected off the web server such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
3. DOM XSS Vulnerabilities
The Document Object Model is a convention for representing and working with objects in an HTML document. DOM XSS vulnerability occurs when the XSS vector executes as a result of a DOM modification on a website in a user’s browser. On the client side, the HTTP response does not change but the script executes in malicious manner. This is the most advanced and least-known type of XSS. Most of the time, this vulnerability exists because developers do not understand how it works.
How to Protect Your Applications
1. During the Development Stage
The simplest and arguably the easiest form of XSS protection would be to for developers to sanitize any user input.
2. Already Deployed Applications
Open Source Nessus, and many other available web security tools can help scan a website for many cross site scripting and security flaws. They can help but not fully eliminate the possibilities.
To check for Cross Site Scripting vulnerabilities, use any good quality Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross-site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross-site Scripting vulnerabilities a web application scanner will also check for SQL Injection & other web vulnerabilities.
As we mentioned that XSS vulnerabilities can be very difficult to remove. Hopefully, this article will help you to understand them and their associated consequences. It will also help you plan suitable remedial actions.