the cde tlks Understanding the language of code as it speaks
XSS - Cross Site Scripting
XSS - Cross Site Scripting

If I say, in the last decade itself there have been so many attacks leading to data breach, that would not surprise many given that we are living in a digital world. Also added to the fact that securing each and every systems, given the number of systems popping up already seems to be an herculean task.

Talking about some cases where well known entities like British Airways, eBay have been successfully targeted for data breaches leading to some financial losses as well speaks volumes to the impact it can make.

As more and more on data goes on to be digitalized in today's world, it is more and more required to be aware of the attacks that can happen and how to safeguard oneself against it.

One such attack that we can talk about is XSS or Cross Site Scripting attacks. This is an attack which happens on client side which exploits the vulnerability on the site using code injection which can then be used to do more harm based on the objective. Let's understand this properly and to get more clarity on this let's understand SAME ORIGIN POLICY.

Same Origin Policy essentially is in place to provide basic web security ensuring that a website say HACKER.COM cannot read-write something on LEGITIMATE.COM . This may be confusing as one can say we can load images from different websites onto our page. Well yes, there are some exceptions that are allowed, however even with images read of binary data of a cross origin image is blocked.

We can say instead of allowing everything to be read and written only some are allowed. More on this can be referred from

Same Origin Policy

Defacing websites, stealing confidential information, financial losses, reputation losses can be some of the consequences of the same.

Diving into it a bit more, Cross Site Scripting attacks are one which exploits vulnerability on web page using a code normally a script / Javascript code used to circumvent the site vulnerability. Well Javascript is most commonly used to perform these attacks, however CSS, ActiveX, Flash, VBScript can also be used as a way of executing these attacks.The impact of the same depends upon what all the inserted malicious script can do and how much does the security of the site allows to do.

The code inserted can be then propagated to all the users which in turn can multiply the impact the code can have. Access to cookies, session, confidential data is something that can be targeted.

Cross Site Scripting attacks are one of the most common type of cyber attacks that can happen.

These attacks can be categorized into below,

  1. Stored / Persistent XSS
  2. Reflected / Non Persistent XSS
  3. DOM [Document Object Model] XSS

STORED / PERSISTENT XSS

This type of XSS attack is when the malicious code gets permanently stored in the system. A more devastating attack than the rest of the types. The malicious code when served through the application's web page will execute on user's system. This can be used to target large spectrum of users.

For example,

One can insert a malicious code through a social media post/comment which will be stored in the system. Other users on the platform will be automatically targeted when viewing the content resulting in invasion and breach of user's system security.

REFLECTED / NON PERSISTENT XSS

As the name says, this is a type of non-persistent XSS which mean the code is not stored in the database or application permanently. Here the attacker uses different ways of social engineering attacks like Phishing to deliver the malicious code to the user or create circumstances baiting the user to get trapped. Simply put 

For example,

The attacker send a mail to user posing as a legitimate entity providing some action buttons for the user to click on. Once the user clicks on the link, the user will get redirected to some page where the code will be REFLECTED back to the user which might result in the attacker stealing the user's session or hijacking the account creating a chain of adverse impact further.

This is a more common type of attack and in today's times we all are well aware of such traps being laid.

DOM [Document Object Model] XSS

This is more related to the DOM or Document Object Model of the web page presented on the user's browser. A DOM represents each element on the web page as an element in a tree like system enabling ease of access for programmatic access. Languages like Javascript leverage the DOM for its execution and implementation

Although there may be some parallels seen with REFLECTED xss there is still some differences which keeps them apart. The malicious code is not sent to the server nor is a part of web server response. It is not embedded into the web page

One can use any weak way of representing user inputs in the code to manipulate the DOM and exploit the user

How to prevent or guard one self against these attacks?? Well there are many ways including proper way of handling user inputs as well secure code practices. Below are few which you can take care of when implementing or creating web pages.

Sanitization Of User Inputs 

One can sanitize the user inputs thereby removing any malicious code. This can be done on server side when storing user inputs or also on the client side. 

Encoding

Whenever any value or input is being output on the web page, use of output encoding can be done so as to make sure the code does not gets executed.

Validation

Proper validation of input can be used to ensure no invalid data is stored. For example in an email input field if proper validation is done then we can avoid any invalid email like asa.com or hello#ahs.com being saved in system. Further validation like proper domains are put in place can also be taken care of.

Secure coding

Secure coding practices like using proper way of handling user inputs goes a long way in preventing these attacks. For example, instead of using $element.attr('key','value') we should use $element.prop('key','value') to set the inputs.

Content Security Policies

Content Security Policies or CSP are way of making sure to atleast avoid or prevent web page attacks like XSS and many more. We can ensure that the scripts, css or other files are executed from the source itself and not from external places.

More on this here Content Security Policies

One can also refer OWASP XSS Cheat Sheet for getting more information on this.

Until next time, remember the code talks!


Powered by Froala Editor