Skip to main content
Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is an attack against a web application that uses a server to deliver a malicious script to a user's web browser. Attackers use this method to identify and infect a vulnerable website first, rather than directly attacking the end user. Once the website is infected, visitors unknowingly download the script, which their browser then executes. An XSS generally performs actions such as data exfiltration and session hijacking when it executes.

An attacker can write an XSS in any language that the victim's browser supports. JavaScript is one of the most popular choices due to its widespread use by many browsers and web platforms. This type of attack has been around for at least 15 years and is still effective today.

Impact

Many issues can arise when an XSS compromises a web page. The most common of these include:

  • Attackers accessing online accounts
  • Exposure of sensitive data
  • Upload of a Trojan horse
  • Redirecting web pages
  • Vandalism of website

XSS generally becomes more detrimental to an organization the longer it remains on the website. Long-term infection is particularly damaging to the host organization's reputation and relationships with its clients. The Magecart XSS was responsible for one of the best-known attacks of this type, which first occurred on a large scale during the 2018 holiday shopping season. This XSS was able to inject itself into many online check-out sites, where it retrieved user credit card information. Magecart probably uploaded this information to a server, allowing the attackers to use it for fraudulent purposes themselves or sell it to other criminals.

Types

XSS attacks may be classified into the following types:

  • Reflected XSS
  • Persistent XSS
  • Dom-Based XSS

Reflected XSS

A reflected XSS attack uses a website client's own browser to send the malicious script to the server. This type of attack is also known as a non-persistent XSS attack since the script isn't stored on the server. An attacker can conduct a reflected XSS attack by creating a URL that passes the malicious script in the form of a search parameter to a website with a vulnerable search page. This URL would have the general form of

http://target-website.com/search?search_term="<script>malicious-code</script>"

The next step is to trick users into visiting this URL, often by sending them a phishing email containing the URL as a clickable link. Another tactic is to simply publish the URL on a public page. Once a user clicks the link, the website accepts the search parameter under the assumption that the user is searching for something. However, this parameter is actually the malicious script, which the webserver then injects into the page, causing the user's browser to execute it.

Persistent XSS

A server stores the malicious script in a persistent XSS attack, unlike a reflected attack. In this case, an attacker could post a message on a forum that the target website hosts. The post contains the script, which a user's browser loads and executes when the user visits that page. A persistent XSS attack treats all site visitors as targets, whereas a reflected attack only targets specific users.

DOM-Based XSS

A Domain Object Model (DOM) XSS exploits vulnerabilities in the scripts that a server provides for visitors. This type of XSS doesn't directly deliver the malicious script to the target's browser, as is the case with the other types. However, a DOM-based XSS is similar to a reflected attack in that the server doesn't store the script. While these two types could use the same setup as described in the reflected XSS section above, the server wouldn't generate the web page with the malicious code in the case of a DOM-based XSS. Instead, the target's browser would directly load and execute the script when rendering the search page.

Prevention

The most effective way of defeating XSS attacks is to sanitize user input. This technique primarily involves encoding the server's output to prevent the user's data from automatically causing the browser to load and execute code. Validation of that data is also necessary for detecting malicious user data, which requires the use of a web application scanning tool. A browser's content security policy can help prevent XSS attacks by providing multiple levels of risk mitigation.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.