Computer scienceFundamentalsEssentialsSecurity

Cross-site scripting

Provided by: JetBrains Academy
8 minutes read

Web sites and web applications are a repository of more than content. They also store user data and constantly send information to visitors' browsers.

If a site has vulnerabilities, attackers can get visitors' sensitive data. The XSS attack is one kind of attack on web systems. In this topic, we're going to take a closer look at this term and learn how to defend ourselves against XSS attacks.

What is XSS attack

The XSS (Cross-Site Scripting) attack is a type of attack on web systems in which malicious code is injected into a web page. When a user opens such a page, malicious code is executed on their computer and establishes a connection to the attacker's web server.

cross-site scripting attack

Cross-site scripting is mostly used to steal users' cookies. Third parties can access the user's session, make HTTP requests from the user, obtain the user's credentials, and make it difficult to interact with the site. They can even create regular redirects to malicious sites.

Cookies are service files sent by a web server and stored on the user's computer. They save the user's individual settings and interests. Cookies are used to collect statistics by advertisers, too.

Types of XSS attacks

Cross-site scripting is one of the top 10 key vulnerabilities of web systems according to OWASP. There is no strict classification of XSS attacks. However, there are usually two categories of them:

  • Reflected XSS, where the malicious script comes from the current HTTP request. Attacks occur when a user clicks on a specially prepared link. This link sends a request to the site with the vulnerability. Reflected XSS is common on forums and blogs, where there are no strict limitations on commenting and there are usually many fields for data entry.

  • Stored XSS is possible when an attacker manages to inject malicious code into the server which is executed in the browser every time the original page is accessed. Sites, where users are allowed to insert content with HTML code, may be vulnerable.

Sometimes also the attacks called DOM Based XSS are distinguished. They occur when a web application contains client JavaScript code that processes data from an untrusted source in an insecure manner. Typically by writing the data back to the DOM. Thus, the HTTP response is not changed, but the client-side code will be executed differently for the user. The vulnerability occurs in the client-side code, not on the server.

How to find an XSS vulnerability

If you want to check if there are XSS vulnerabilities on the site, the first thing to look at is whether there are places where users have the ability to influence the content of the site.

For example, if you notice an area on a site where text entered by users appears, there could potentially be a vulnerability. You can check this if instead of text you try to insert the simplest JavaScript code that displays a popup saying "This web page is vulnerable".

<script>alert("This web page is vulnerable")</script>

If the site turns out to be vulnerable, you'll see a popup like this:

popup showing XSS vulnerability on the site

On the other hand, if you don't manage to trigger this popup, then the developers have taken care of the site's security.

How to prevent XSS attacks

Many sites have been affected by XSS attacks. Among the well-known online resources, we can point out Youtube, Twitter. To prevent this from happening to your site, you can check it for vulnerabilities. Doing it manually is not always efficient, but time-consuming and difficult. Fortunately, there are special services for this purpose, such as xss-scanner.com.

There are also a few recommendations for website and app developers to prevent XSS attacks:

  • If your site has user input, it's important to encode the data.

  • In situations where encoding is not appropriate, replace it with validation.

  • Secure processing of data should be done in code not only on your server side, but also on the client side.

  • Use the HTTPOnly cookie flag for the HTTP header Set-Cookie. It prohibits reading and writing cookies via JavaScript.

  • Preferably disallow links to web pages if they do not begin with a whitelist protocol, such as http://, https://.

  • Use the Content Security Policy.

These points are described in detail in the OWASP Cheat Sheet Series. If you are interested in this topic, we encourage you to read more about them.

The user's default browser cannot filter code, so it accepts and executes any script it receives. To guard against XSS attacks from client-side, try to regularly update your browser to the latest version or use special browser extensions. For example, NoScript is an extension for Chrome.

Conclusion

In this topic, you have learned about the types of XSS attacks and how to protect yourself against them. You've also looked at an example of how to find an XSS vulnerability on a website. All information about XSS was written for educational purposes. Do not use it for malicious purposes, remain ethical.

XSS attacks can damage user privacy and third parties can gain access to user data. Therefore, it is important for developers to secure their sites or web applications.

27 learners liked this piece of theory. 0 didn't like it. What about you?
Report a typo