Cross-site scripting

  – BY MARIYAM CHOWDHARY

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user can perform and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

How does XSS work?

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim’s browser, the attacker can fully compromise their interaction with the application.

Like all injection attacks, XSS takes advantage of the fact that browsers can’t tell valid markup from attacker-controlled markup — they just execute whatever markup text they receive. The attack circumvents the Same Origin Policy, which is intended to prevent scripts originating in one website from interacting with scripts from a different website.

The Same Origin Policy requires that all content on a webpage come from the same source. When the Same Origin Policy isn’t enforced, an attacker can inject a script and modify the webpage to suit their purposes — for example, to extract data that will allow the attacker to impersonate an authenticated user, or to input malicious code for the browser to execute.

XSS can be used in several ways to cause serious problems. The traditional use of XSS enables an attacker to steal session cookies, allowing that attacker to pretend to be the user (victim). But it’s not just stealing cookies; attackers can use XSS to spread malware, deface websites, create havoc on social networks, phish for credentials, and in conjunction with social engineering techniques, perpetrate more damaging attacks.

Types of Cross-site Scripting Attack

There is no standard classification, but most of the experts classify XSS in these three flavors: non-persistent XSS, persistent XSS, and DOM-based XSS.

• Non-Persistent Cross-site scripting attack

Non-persistent XSS is also known as reflected cross-site vulnerability. It is the most common type of XSS. In this, data injected by the attacker is reflected in the response. If you take a look at the examples we have shown above, the first XSS example was a non-persistent attack. A typical non-persistent XSS contains a link with the XSS vector.

• Persistent cross-site scripting attack

Persistent cross-site scripting is also known as stored cross-site scripting. It occurs when XSS vectors are stored in the website database and executed when a page is opened by the user. Every time the user opens the browser, the script executes. In the above examples, the second example of messaging a website was a persistent XSS attack. Persistent XSS is more harmful than non-persistent XSS because the script will automatically execute whenever the user opens the page to see the content. Google’s Orkut was vulnerable to persistent XSS that ruined the reputation of the website.

• DOM-based cross-site scripting attack

DOM-based XSS is also sometimes called “type-0 XSS.” It occurs when the XSS vector executes as a result of a DOM modification on a website in a user’s browser. On the client-side, the HTTP response does not change but the script executes maliciously. This is the most advanced and least-known type of XSS. Most of the time, this vulnerability exists because developers do not understand how it works.

REFERENCES

https://searchsecurity.techtarget.com/definition/cross-site-scripting

https://portswigger.net/web-security/cross-site-scripting

https://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/