Have a Question About the BreachLock Cloud Platform? Enter it below.

25 November, 2019

What is Cross-site Scripting (XSS), and how can

What is Cross-site Scripting (XSS)? 

XSS, or Cross-site scripting, is a type of attack on a web application that allows an attacker to compromise the visitors of the infected web application. By exploiting XSS vulnerability, an attacker can inject malicious scripts on a page of the infected web application. These scripts get executed when a user loads the infected page. On the BreachLock cloud platform, it is one of the most commonly identified vulnerabilities in web applications, and XSS is also listed as one of the Top 10 OWASP web application vulnerabilities. 

If an XSS attack is successful, an attacker can 

• Gain unauthorized access to cookies, session IDs, and passwords of a victim 
• Read and access all the information displayed to a victim 
• Compromise or modify the content being shared with a victim 

Example of XSS Attack 

Consider that your web application is based on PHP, and there is a search box. The piece of code given below is used when there is no search result, and the web application says, “Could not find any pages when searching for user_query.” 

Essentially, this will output the user’s search query straight into the HTML document, and if the search query contains HTML, the user’s browser will render it.  

To start with, let us consider that the attacker sends a link like the one given below to the victim via social media sites, free download websites, or phishing campaigns. 

When a user clicks on this link, the search box will search for 

If the web application does not have input validation, the user’s browser will render 

And accordingly, HTML injected by the attacker will be executed. It contains a script tag that evaluates JavaScript. This JavaScript, in turn, sends the user’s cookie to a third-party website of the attacker.  

How can it be mitigated? 

Mitigating XSS vulnerabilities significantly depends upon the context, and no patch can completely deal with this issue. However, multiple steps can be taken to reduce the chances of such an attack. 

HTML Body 

Here, Bad_script is the search query of a user. 

Convert the user inputs to HTML entities, for example, & to &. 

HTML Attributes 

To prevent the creation of other attributes, convert the untrusted user input to HTML entities, as discussed above. While the web application is being developed, do not allow any user data into specific parameters such as id, class, name, etc.  

Untrusted URL 

Trusted URLs can be whitelisted, and when the user search query comes as an input, it can be run through the URL library. Also, JavaScript must be blocked from running by using a protocol handler. 

GET Parameter 

Encoding of user data helps in preventing the use of ampersand as it will lead to parameter pollution issues. 

CSS Value 

Encode the user input using CSS hex. 

JavaScript variable 

Prevent line breaks and put quotes around the variable (i.e., user input) and hex encode. 

DOM XSS 

Use input sanitization by utilizing the inbuilt libraries in PHP, or any other language In which your web application is coded.