Cross-Site Scripting (XSS) Attacks
Last updated on November 7th, 2019
Unlike Remote Code Execution (RCE) attacks, the code is run within a user’s browser. Upon initial injection, the site typically isn’t fully controlled by the attacker. Instead, the bad actor attaches their malicious code on top of a legitimate website, essentially tricking browsers into executing their malware whenever the site is loaded.
When attackers inject their own code into a web page, typically accomplished by exploiting a vulnerability on the website’s software, they can then inject their own script, which is executed by the victim’s browser.
Another popular use of cross-site scripting attacks are when the vulnerability is available on most publicly available pages of a website. In this case, attackers can inject their code to target the visitors of the website by adding their own ads, phishing prompts, or other malicious content.
Now that we’ve covered the basics, let’s dive a little deeper. Depending on their goals, bad actors can use cross-site scripting in a number of different ways. Let’s look at some of the most common types of attacks.
Stored cross-site scripting attacks occur when attackers stores their payload on a compromised server, causing the website to deliver malicious code to other visitors.
Since this method only requires an initial action from the attacker and can compromise many visitors afterwards, this is the most dangerous and most commonly employed type of cross-site scripting.
Examples of stored cross-site scripting attacks include the profile fields such as your username or email, which are saved on the server and displayed on your account page.
Reflected cross-site scripting attacks occur when the payload is stored in the data sent from the browser to the server.
Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website’s search or contact form.
A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.
Attackers typically send victims custom links that direct unsuspecting users toward a vulnerable page. From this page, they often employ a variety of methods to trigger their proof of concept.
Self cross-site scripting occurs when attackers exploit a vulnerability that requires extremely specific context and manual changes. The only one who can be a victim is yourself.
These specific changes can include things like cookie values or setting your own information to a payload.
Blind cross-site scripting attacks occur when an attacker can’t see the result of an attack. In these attacks, the vulnerability commonly lies on a page where only authorized users can access.
This method requires more preparation to successfully launch an attack; if the payload fails, the attacker won’t be notified.
To increase the success rate of these attacks, hackers will often use polyglots, which are designed to work into many different scenarios, such as in an attribute, as plain text, or in a script tag.
An example of a blind cross-site scripting attack would be when a username is vulnerable to XSS, but only from an administrative page restricted to admin users.
An example of DOM-based cross-site scripting attack would be when the website changes the language selection from the default one to one provided in the URL.
The concept of cross-site scripting relies on unsafe user input being directly rendered onto a web page. If user inputs are properly sanitized, cross-site scripting attacks would be impossible. There are multiple ways to ensure that user inputs can not be escaped on your websites.
To protect your website, we encourage you to harden your web applications with the following protective measures.
Restrict user input to a specific whitelist. This practice ensures that only known and safe values are sent to the server. Restricting user input only works if you know what data you will receive, such as the content of a drop-down menu, and is not practical for custom user content.
While HTML might be needed for rich content, it should be limited to trusted users. If you do allow styling and formatting on an input, you should consider using alternative ways to generate the content such as Markdown.
Finally, if you do use HTML, make sure to sanitize it by using a robust sanitizer such as DOMPurify to remove all unsafe code.
When you are using user-generated content to a page, ensure it won’t result in HTML content by replacing unsafe characters with their respective entities. Entities have the same appearance as a regular character, but can’t be used to generate HTML.
Session cookies are a mechanism that allows a website to recognize a user between requests, and attackers frequently steal admin sessions by exfiltrating their cookies. Once a cookie has been stolen, attackers can then log in to their account without credentials or authorized access.
Note: This method only prevents attackers from reading the cookie. Attackers can still use the active browser session to send requests while acting as an admin user. This method is also useful only when relying on cookies as the main identification mechanism.
You can use a firewall to virtually patch attacks against your website. This method intercepts attacks such as XSS, RCE, or SQLi before malicious requests ever even reach your website. It also has the benefit of protecting against large scale attacks such as DDOS.
The first step in recovering from cross-site scripting is to identify where the vulnerability is located. You can refer to our helpful hacked website guide for detailed steps.
Once you have obtained information about the location of the malware, remove any malicious content or bad data from your database and restore it to a clean state. You’ll also want to check the rest of your website and file systems for backdoors.
Vulnerabilities in databases, applications, and third-party components are frequently exploited by hackers. Once you have identified the vulnerable software, apply patches and updates to the vulnerable code along with any other out-of-date components.
When a compromise occurs, it is important to change all of your passwords and application secrets as soon as the vulnerability is patched. Prevent reinfection by cleaning up your data to ensure that there are no rogue admin users or backdoors present in the database.
Consider setting up a web application firewall to filter malicious requests to your website. These can be particularly useful to provide protection against new vulnerabilities before patches are made available.
If you believe your website has been impacted by a cross-site scripting attack and need help, our website malware removal and protection services can repair and restore your hacked website.
Our dedicated incident response team and website firewall can safely remove malicious code from your website file systems and database, restoring it completely to its original state.
Learn how to identify issues if you suspect your WordPress site has been hacked.Watch Now
Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.Sign Up
Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.Read Now
Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.See Now