What is Cross-Site Scripting vulnerability? How to find it? How to prevent a XSS attack?

In this article, I’ll explain a critical web security risk known as Cross-site scripting, indications, types and how to prevent an XSS attack.

What is cross-site scripting?

**Cross-Site Scripting **is a type of injection attack which allows an attacker to inject malicious client-side code (executed by victims) that leads to impersonating users to get privileged access to the web application, perform cross site request forgery attacks to other vulnerable website, redirect victims to an attackers site, download malicious files, etc. XSS can be chained to other vulnerabilities to get full access to the target system.

Proof of concept (PoC)

XSS just simply adds arbitrary html and javascript code in response if developers do not sanitize users input properly and encode html characters in the response. You can start by injecting some innocent HTML playloads like <u>,** <br>, <p>. And then use a javascript function inside HTML tags to confirm a XSS bug. **alert() **was used as a proof of concept of an XSS bug for decades but now it’s replaced by **print(), alert(document.domain) and alert(window.origin).

Type of cross-site scripting vulnerability

1. Reflected XSS - When the XSS payload in request gets reflected immediately in the response. It’s not permanently saved on the server. Example - Let’s say the request link is sent to the victim by phishing or embedded in any other website.
   

   // REQUEST URL
   https://website.com/profile.php?show=<script>print()</script> 
   // RESPONSE
   <script>print()</script>
   

2. Stored XSS - When the XSS payload is saved to the server and executed for every other user accessing the vulnerable web page. The code is saved permanently in the website's database and could be used to create a worm. Example - Victim uses the website and gets malicious code executed.
   

   <p><script>print()</script></p>
   

3. DOM-based XSS - When the bug is found in the source code of the vulnerable web page and the files attached to it. The Document Object Model is a convention used to represent and work with objects in an HTML document as well as in other document types.
   

   <script>
    var pos=document.URL.indexOf("context=")+8;
    document.write(document.URL.substring(pos,document.URL.length));
   </script>
   

How to prevent XSS attacks? 🛡️

Cross-site scripting has been among OWASP top 10 security risk list since 2010 so it is important for developers to write secure code and prevent XSS attacks. As XSS is an injection vulnerability the key to prevent these attacks is to never trust user input. Also a non-practical answer would be never let user provided data rendered into a webpage.

XSS prevention methods 📃

1. Use a Web Application Firewall
   1. Firewall immediately blocks certain malicious payloads and tags in HTTP requests.
   2. Firewall can be bypassed in some cases but it could get very frustrating for the attacker.
2. DevSecOps
   1. Snyk.io
      1. Find and automatically fix vulnerabilities in your code, open source dependencies, containers, and infrastructure as code.
      2. Use snyk’s extensions for your IDE.
      3. Scan for vulnerable docker containers.
3. Validate and sanitize user-provided data
   1. User data should be validated on the front end of sites for correctness (e.g. username, email, domain and phone number formatting), but it should also always be validated and sanitized on the backend for security.
   2. Depending on the application, you may be able to whitelist alphanumeric characters and blacklist all other characters. However, this solution is not foolproof.
4. HTML Encoding
   1. Any time that you are rendering user-provided data into the body of the document (e.g. with the innerHTML attribute in JavaScript), you should HTML encode the data.
   2. Some examples of HTML encoding are:
      1. & &
      2. < <
      3. > >
      4. " "
      5. ' '
5. Use a security encoding library
   1. For many languages and frameworks, there are security encoding libraries that can help prevent XSS.
   2. Use updated frameworks.
6. Use iframe tags
   1. You can use an iframe tag to prevent stealing cookies/sessions, privileged access.
   2. Google blogger platform uses iframe tags to render code on different subdomains and prevent XSS on the main webapp.

Wrapping Up

Key takeaways:

• XSS is a critical injection vulnerability by which an attacker manipulates server response and executes arbitrary javascript code in the user's web browser.
• There are 3 types of XSS: Reflected, DOM-based, and stored.
• XSS attacks can be used to download malicious files, do cross site requests, steal authentication information, hijack sessions, steal sensitive data, and deface websites.
• Prevent XSS by sanitizing user data on the backend, HTML-encode user-provided data that’s rendered into the template, and use a security encoding library or WAF.

Related Links:

• OWASP top 10 - https://owasp.org/www-project-top-ten/
• OWASP cheatsheet - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
• Portswigger prevention - https://portswigger.net/web-security/cross-site-scripting/preventing
• Article on Reviewing Code for Cross-site scripting Vulnerabilities - https://wiki.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting
• Portswigger research - https://portswigger.net/research/alert-is-dead-long-live-print

I hope this article is helpful for you. Thank you for reading.