What is cross site scripting
I am no security expert, and just a couple days ago I didn’t really know what cross site scripting (XSS) was. So this article is just my current understanding of what it is, how it happens and some ways to prevent it.
Why my interest in XSS?
I would be lying if I said I was fascinated by security concepts and came across it on my own. The real story: A friend convinced me to do some security training. This is how I learned some of the ways hackers attack and how to protect against those attacks. Again I am new to this so bare with me. I may be over simplifying a lot of this stuff. If anyone has anything to add or I explained something that is untrue leave a comment.
What is XSS?
What wikipedia says
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user
What I say
Some evil person was able to put some javascript on your website without your knowledge and get some valuable info from your users.
How Does XSS work?
Now you know what it is but how does it happen? what does it look like?
How does it happen?
Say we have a user, lets name him bob, we have hacker jane, and some vulnerable website. Let us pretend google is vulnerable.
Jane finds out that the google search bar is vulnerable, she writes some javascript into the google search bar to test out the vulnerability. Say something like the following:
<script>alert("hello")</script>Then she presses enter or clicks on go. She successfully gets the alert to show up. Now she can replace hello, with code that grabs cookies, session tokens, etc. After injecting this malicious script into the vulnerable website, she sends the google link with the malicious code to Bob and couple other people, because she somehow knows that Bob will click on this link and then Jane is able to grab Bob’s cookies.
Forms of XSS
From what I gather there are different forms of XSS, such as stored and reflected.
Stored
This form of XSS is the kind of attack where it is a permanent feature on the site. This kind of XSS attack is most commonly found in comment or review sections of sites.
In this scenario Bob visits a website lets use Amazon as an example. Jane discovered that she can review a product and in that review have an img tag with an onerror attribute that uses an alert. Bob happens to want this product and visits the same page Jane had left the review with the malicious code.
In other words the malicious string originates from the server
Prevention: Sanitize! Escape special characters, preferably on the server side.
Reflected
The best example for reflected XSS I can think of is when a website returns the request.Here are the steps for this to happen
- Jane forms some URL and sends it to Bob:
someurl.com/quer?<script>…</script> - Bob requests/clicks on the link.
- The script part of the url is included on the website
- Bob’s browser executes the malicious script
Best thing to do in my opinion: don’t display user inputs in responses specially when it is not a 200
DOM
DOM XSS was the toughest for me to understand mainly because I didn’t see the difference between this and the other two. And really that is because DOM XSS uses both reflected and stored. Say you have a website that uses .innerHTML to display the query string inside a div or something
- Jane forms some URL and sends it to Bob:
someurl.com/quer?<script>…</script> - Bob requests/clicks on the link.
- The script part of the url is then injected onto the website
- Bob’s browser executes the malicious script
As you can see the steps are identical to the reflected XSS, the only difference is that in this instance we are exploiting the DOM rather than the server.
Prevention: use .innerText or .innerContext for user inputs
Thanks For Reading
Along the way I mentioned a few ways I learned how to prevent XSS I am sure there are more ways of prevention. Either way I hope this was helpful. Give it a clap or two if you learned something, or if this was a good refresher for you.
