Cross-site Scripting Definition

What is Cross-Site Scripting?

A cross-site scripting (XSS) attack injects malicious code into an otherwise trusted website. This can enable an attacker to collect sensitive information entered into the site, such as user credentials or payment card information.

HTML, CSS, and Scripting

A website is composed of multiple different layers of code. Hypertext Markup Language (HTML) defines the overall structure and static content, Cascading Style Sheets (CSS) handles the cosmetics, and scripting languages like JavaScript and PHP can be used to add interactive functionality.

HTML is the base layer for a website, and the standard allows the other types of content to either be embedded within an HTML page or linked to it from their own, standalone files. For example, JavaScript can be used in a webpage via a standalone file or by indicating that a certain block of content is a script using a <script> tag.

An HTML page can intermingle HTML, CSS, and script content, separating them only by their tags. When the page is rendered by a browser, it interprets these tags and uses the content accordingly.

How Does an XSS Attack Work?

In an XSS attack, the attacker takes advantage of the structure of HTML pages to embed malicious code in a webpage. To do so, they need a situation where user-provided content might be embedded in a webpage. Some examples include:

• Comments, reviews, and forums
• Embedding a user’s name (or other information) in a webpage
• Search results

Since HTML can intermingle different types of content, an attacker can use this opportunity to embed malicious code in a webpage. This is accomplished by providing a carefully crafted input that includes malicious code in a structure that correctly mimics how it would be tagged in a legitimate webpage.

Types of XSS

XSS attacks can be performed in a few different ways. The three types of XSS attacks include:

• Reflected XSS: Reflected XSS — also known as non-persistent or Type I XSS — embeds script code in a URL or input field. Often, these are used in phishing attacks where a malicious link contains the malicious script code, allowing it to be opened in the user’s browser.
• Stored XSS: Stored XSS — also known as persistent or Type II XSS — embeds malicious scripts in comments or other persistent fields within a webpage. These attacks impact anyone visiting the page with the embedded malicious code.
• DOM-based XSS: DOM-based XSS is also known as Type 0 XSS. It exploits the Document Object Model (DOM) in a user’s browser, manipulating how client-side code is run rather than the actual webpage.

Preventing XSS

XSS vulnerabilities exist when a website embeds user-provided input in a webpage without properly verifying it. This can be dangerous as the malicious script has the same access to data as the actual webpage. A malicious script could collect sensitive user-provided information (credentials, payment card data, etc.) and exfiltrate it to an attacker or take other malicious actions against the organization.

Some ways to protect against XSS attacks include:

• Input Sanitization: An XSS exploit includes HTML tags and malicious code, which means it probably doesn’t match the expected format of user-provided data. An application can block XSS by, for example, only allowing alphanumeric characters in a field that doesn’t require symbols.
• Input Encoding: HTML allows data to be embedded in a webpage in an encoded format that will be decoded before the webpage is presented to the user. Since this decoding occurs after the sections of the webpage are interpreted as data or code, this prevents an attacker from providing malicious data that the browser would interpret and run as JavaScript or PHP code.

Conclusion

XSS is a web application security risk that arises from poor input sanitization practices. Before processing user-provided input or embedding it in a webpage, verify that it meets expectations (i.e. is actually a name, etc.) and encode it to protect against XSS attacks.