It is #2 on the 2021 CWE Top 25 Most Dangerous Software Weaknesses list.
XSS attacks allow the malicious party to act as a legitimate end-user and perform actions the user would be able to, such as access their data, update their login credentials, and so on. If the end-user has privileged access to the app, the attacker could gain elevated access to the application.
More specifically, cross-site scripting happens when:
- The application accepts user input (for example, the web application accepts a web request).
- The web application utilizes the user input to generate a web page — because there’s no sanitization, the user-provided input could contain content the web browser can execute.
- Someone visits the web page; the browser renders the requested web page but includes the malicious code.
There are three primary types of XSS attacks:
- Reflected (Type 1): This occurs when the website receives data as part of an HTTP request, and it returns the included data immediately without any sanitization, verification, or other safety checks.
- Stored (Type 2): This occurs when the website receives data as part of an HTTP request, stores the data, and later returns the data in an HTTP response without any sanitization, verification, or other safety checks.
Because XSS attacks result from unexpected input supplied by an end-user, the primary mitigation is to sanitize and escape user input so malicious parties cannot provide problematic code. Depending on the needs of your application, you may also opt to accept no untrusted user input.
Some of the more common mitigation techniques include:
- Using a vetted library or framework to generate properly encoded/sanitized output (e.g., OWASP’s ESAPI Encoding module)
- Specify and use output encoding (e.g., ISO-8859–1, UTF-7, and UTF-8) that can be used by the downstream component that’s reading the data; without this, the component may opt for incorrect according, resulting in error
- Implement input validation ; assume all input is malicious and require that all input is validated.
- Convert input ; when working with a known set of input (e.g., file paths or page addresses), create a mapping and reject anything that isn’t included.
XSS attacks occur when user-supplied input is rendered and results in unexpected application behavior. There are three types of XSS attacks, but regardless of type, the malicious party’s end goal is to leverage the attack to perform malicious activities including, but not limited to:
- Sending malicious requests to the website on behalf of the legitimate user
- Launch phishing attacks to gain access credentials
- Directly stealing sensitive information