Monday, June 24, 2013

Three Entry Points for Cross-Site Scripting



Cross-site scripting (XSS) can be more of an annoyance than a serious threat in some instances. However, there are circumstances where XSS is used for malicious purposes, where hackers may easily exploit your information and wreak havoc. This can be especially dangerous to your sensitive data if your website contains vulnerabilities that welcome exploits.

According to a report by Symantec, 84 percent of the security vulnerabilities documented by this security expert were attributed to XSS committed on websites in 2007. It has been concluded that at least 68 percent of existing websites for that year were vulnerable to XSS attacks.

It is good practice for developers and testers to be fully aware of the possibility that every one of your data entry points could be targeted for an XSS attack. Web applications are at high risk for malicious actions committed through the:

  • Hijacking of user accounts
  • Access to sensitive data and ability to modify that data
  • Bypassing of controls for access
  • Presentation of fraudulent content

The Most Common Entry Point

Session cookies are the most common way that XSS is used to exploit user information. A session cookie is used to store the user’s identity while logged into a website. If another site is opened while logged into the first website and XSS is present, the second website could hijack the session cookie from the first. The hijacker would be able to use the session cookie in their browser, in addition to using the information to impersonate the user on the initial website. Depending upon the nature of the first website that the session cookie has been hijacked from, the results could be very damaging.

Examples include:

  • If the user is logged into a banking website, the hacker could use the session cookie to impersonate the user and conduct transactions that will remove cash from the user’s bank account.
  • Banking information can be accessed from shopping sites and allow the hacker to make purchases with that information.

Additional XSS Entry Points for Web Applications

Forms. Web forms such as login forms, if improperly coded can be vulnerable to XSS. If the hacker takes advantage of this vulnerability and injects a script into the login form, the script will send them the user’s password—allowing hackers access to the user’s account where changes or purchases could be made.

Examples include:

  • If a login form is compromised for a shopping website, a hacker could then impersonate the user and make purchases using whatever pre-stored means of payment are entered into the account.
  • With so many users neglecting to follow the best practices with password security, the hacker could potentially access many different websites just by assuming that the credentials for each are the same.

URLs. If a hacker sends an email to a user with what appears to be a legitimate URL, could infact be a malicious script that is embedded within the URL. Once the user has been lured to the legitimate site, they log in and the script sends the session cookie to the hacker.

Examples include:

  • An attack such as this can also be attributed to postings on social networking websites. The hacker could post a message with XSS code hidden within it. An unsuspecting user clicks on the URL and their information is sent to the hacker who can then steal their credentials and make changes to their account.
  • The hacker could impersonate the user and post messages on social network websites that are malicious in nature, possibly resulting in the user being banned from the website

Best Ways to Avoid XSS Attacks

By identifying vulnerabilities for XSS attacks on your websites, you are taking the first step toward preventing and mitigating the problems that could result. Developers can reduce their risk of XSS attacks by adopting the following practices:

  • Validating output by sanitizing data HTML encoding to eliminate malicious characters.
  • Avoiding inserting user-controlled data in script code and reducing the amount of allowed HTML.
  • Using server-side validation to detect request containing malicious exploits.

XSS is more common than many users realize, with vulnerabilities discovered even across major brands. Developers using sound XSS practices and thoroughly testing for vulnerabilities save end users from the potentially devastating effects of an attack via XSS.


Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.