In our last blog post we discussed common types of vulnerabilities and how hackers use these weaknesses to attack web sites and Internet users. We are continuing the topic of web security, but are honing in this month to specifically look at Cross Site Scripting (XSS) attacks.

Cross-Site Scripting (XSS)

Cross-site scripting, otherwise known as XSS, is generally a Web application vulnerability that  allows user-side attacks. The problem begins with the same-origin policy, a security concept that is integral in the functionality of modern web browsers and interactions with websites.  The policy is used to grant relatively open access for easy scripting to all content across a single website. Malicious users take advantage of this weakness by gaining access to a trusted source and “folding” corrupted content into any data that is sent to the targeted system. By doing so, the attacker has access to a variety of data, including session cookies and sensitive page content, creating a serious breach in the targeted system’s security.  There are three types of cross-site scripting – Reflected XSS, Stored XSS and Dom-based XSS.

Reflected XSS

Reflected XSS, or non-persistent cross-site scripting, is the most common and is often sent through a neutral site or e-mail. In short, attackers use a weakness created when a webpage allows user input without the validation of special characters, such as an apostrophe or a slash. By using Javascript, the attacker sets up a link that sends the user to an unassuming URL that contains a XSS vector. When the user clicks on the link, the trap is sprung and the attacker gains access to the user’s cookies and sensitive data.

Stored XSS

A Stored XSS, or persistent cross-side scripting, is perhaps one of the most destructive and is commonly found on message boards that permit HTML formatted posts. Simply put, the attacker embeds script in a message, the data then stored on the server, and the attack launched when other users visit the corrupted page. What occurs is the embedded script access’s the unsuspecting user’s sensitive data stored on the site’s database, such as the user’s real name, phone number or address; and displays the information to the attacker. This form of attack continues until such time as the hacker is caught – thus the term “persistent.”

DOM-based XSS

The DOM-based XSS, or document object model, most commonly occurs during content process stages. While this attack is also launched by a user clicking a link, DOM-based XSS is different from reflected XSS. The attacker sends a user a valid URL to a perfectly legitimate website. The problem is the URL is embedded with a code that works from within the user’s browser, sending the attacker the user’s session cookies when the user visits the website and inputs data. This form of attack provides the hacker with sensitive data, such as credit card and Social Security numbers; allowing the attacker to steal the user’s identity.

In our next post we will address ways to protect yourself from web attacks and best practices.

Contributing Author: Dejan Lukan