Code on a screen

What is cross-site scripting?

With cross-site scripting (XSS), cybercriminals seek to exploit security vulnerabilities to inject malicious code into web applications. XSS is classified as an injection attack and is primarily used to steal access data and other sensitive information. Myra Web Application Security is used to defend against such attacks.


A defintion of Cross-site scripting

Cross-site scripting is one of the most popular vectors of attack on the internet. The reputable Open Web Application Security Project (OWASP) even lists XSS among the top 10 threats of the most critical security risks for web applications. Attackers use cross-site scripting to inject malicious script code into web pages that are normally harmless and trustworthy. When a user visits such a page and logs in using his login data, the attackers can access parts of the session or even completely take over the login process. The severity of the attack varies depending on how privileged the browser treats the affected web application. In the worst case, attackers gain extensive access rights to the user’s system and may even be able to access local data. A complete takeover of the affected system is also possible via XSS. Other XSS-based types of attacks include phishing and “website defacement.” With the latter, attackers put content on a web page for purposes of defamation without the site operator being aware of it.


Types of cross-site scripting

In practice, there are three types of XSS: non-persistent (or reflected) cross-site scripting, persistent (or stored) cross-site scripting, and local (or DOM-based) cross-site scripting. Common to all of them is that attackers use malicious script code in widespread languages such as JavaScript for their attacks.

Flow of Reflected Cross Site Scripting

Non-persistent (or reflected) cross-site scripting

In non-persistent or reflected XSS, the malicious script is processed on the server side. If, for example, a user accesses a prepared address via his or her web browser, malicious script code is sent along to the web server. Servers that are inadequately secured do not properly examine this code and generate a manipulated web page for the visitor that contains the attackers’ malicious code. Cybercriminals often use this vector of attack for phishing to sniff out login data. This type of attack is undetectable by the affected user because he or she is on a supposedly trustworthy web page. The manipulated web page is only available via the prepared link. When a user accesses the website via a proper link, no malicious code is present in the web application – which is why this is referred to as non-persistent XSS.

Flow of Persistent Cross Site Scripting

Persistent cross-site scripting

In persistent XSS, however, the malicious code sent to the server by way of a vulnerability is permanently stored in the underlying database. This method means that the user does not even need to be provided with a prepared link for a successful attack – the attack permanently targets every visitor to the affected website. In principle, persistent XSS attacks are possible in all web applications that store user input on the server and output it again, unless the input is carefully checked. Using this type of attack, hackers can, for example, retrieve massive amounts of login information from inadequately secured forums.

Flow of Local Cross Site Scripting (DOM-based)

Local (or DOM-based) cross-site scripting

In local XSS, the vulnerability does not lie with the web application and the underlying server, but with the user. Thus, if they support JavaScript, even static web pages are affected by this vector of attack. Cybercriminals insert malicious script code directly into the user’s browser, usually via prepared links sent to the user in a spam email. Server-side security measures are unable to do anything about this.

Person working on a laptop with code on the screen


The impact of XSS on companies

Cybercriminals usually use XSS attacks as a basis for more advanced attacks, such as email spam, phishing, or even DDoS attacks. Attackers typically target the visitors or customers of the respective website. In a successful attack, it is their data that is corrupted, manipulated, or stolen. Of course, this casts a bad light on the website operator and results in long-lasting damage to their image, accompanied by incalculable losses in sales.

Another factor detrimental to business is XSS-based website defacement, where the respective company is publicly made to look bad by the attackers. Companies of all industries and sizes are affected. Any company running its own website and web applications is a potential target for cross-site scripting.


Protective measures against XSS attacks

Due to the varying forms of XSS attacks, this vector of attack affects companies and website operators, as well as their customers and users. Consequently, the protective measures for defending against XSS attacks must be correspondingly wide-ranging.

Client-side protection against XSS

Users can protect themselves against XSS attacks by restricting the processing of script code in their browsers. A variety of add-ons, such as NoScript, can be used for script management in browsers. However, for most users, this proactive management is likely to be too unwieldy – constant adjustments are required to ensure that web applications continue to work correctly. For this reason, extensions of this kind are rarely used in practice.

As a general rule, it is advisable to always carefully examine links in incoming emails for conspicuous snippets of code. For safety’s sake, when in doubt, the address of the particular page should be entered manually to access it. If possible, HTML should be avoided when viewing emails in the client – plain text is perfectly suited for digital communication. This is an effective way to fend off maliciously manipulated links in e-mails.


Server-side protection against XSS

Protective measures against XSS are more extensive on the company side. Strict code guidelines and input checks, for example, can help webmasters to minimize the attack surface for XSS attacks. Whitelisting also enables site operators to define harmless input and, conversely, prevent the transmission of malicious script code to the server. In practice, depending on the web application, this approach is very complex and, consequently, sometimes flawed. If inadequately configured, whitelisting also blocks legitimate user input, impairing the functionality of the web application.

A WAF (Web Application Firewall) can remedy the situation. The security solution filters incoming traffic based on predefined rules, differentiating between legitimate user requests and potential attacks. The technology’s protection factor is based primarily on the correct configuration of filter rules – this requires expertise and knowledge of the kind of traffic on the specific web application.


Cross-site scripting: What you need to know

XSS attacks have been part of the standard arsenal of cybercriminals for quite some time, and this will not be changing in the foreseeable future. For attackers, XSS constitutes a lucrative method for carrying out extensive phishing campaigns via spam. Sensitive access data and account information are enticing spoils. Furthermore, XSS makes it possible to take over active login sessions as well as access local systems. Also on the attackers’ agenda is the defamation of companies by defacement. For example, anyone who succeeds in sneaking obscene content onto the website of a reputable bank will cause long-term damage to its image.

XSS affects companies, customers, and users alike. That is why rigorous protection of web applications should be a top priority for webmasters. User input must be thoroughly checked to prevent malicious code from reaching web servers in the first place. A further layer of defense is rigorous whitelisting of the permitted input patterns, but this can be a very time-consuming process.

Myra Application Security with Hyperscale WAF, Deep Bot Management, and Secure DNS offers equally reliable and flexible protection against XSS attacks and many other types of attack.

To Myra Application Security