What are Cross-Site Scripting attacks and how to prevent them?
Consider a scenario where you are logging in to your account on a website. You enter your username and then your secret password. But when you hit ‘Enter’ the page loads up and pops us the same login screen again.
You think that you might have typed in the wrong password. So you type your username and password one more time. Only this time you are able to log in to your account. After you’re done with your work, you close the tab.
But the next morning you’re in for a big shock. Your account has been suspended and you’ve lost access to most of your social media accounts. You try different passwords but it does not work. You also try refreshing the page and entering your login credentials - it still does not work. This is exactly when you realize that you’ve been hacked.
While you have no clue about when you were hacked, you search the internet for answers. That’s when you realize that you’ve been part of a scripting attack on the website you visited yesterday.
In this post, we are going to look into one of the scripting attacks called cross-site scripting.
Table of Contents
- What is cross-site scripting?
- How is a scripting attack carried out?
- What are the types of cross-scripting attacks?
- What are the different ways to prevent cross-scripting attacks?
What is cross-site scripting attack?
However cross-site scripting doesn’t just target you or any particular visitor on the website. It is designed as a mass attack mechanism to target all the visitors of a website. In other words, it is designed to steal the data of all the visitors logging on to a website. The attack code becomes a part of the website and is submitted to the user’s computer along with the request. In a way, you could say that your website has also played a massive role in helping the attacker get your data.
How is a cross-site scripting attack carried out?
In very simple words, a cross-site scripting attack involves the addition of a few scripts of malicious code into a website.
This code can be added onto pages where user input is required to perform an action. For example, website visitors can comment on blog posts and news articles. However, they are required to log in to comment on these posts. So these are high opportunity places for the hacker to insert his/her malicious code into the website.
All that the attacker really needs to do is insert the code in the form of a comment. Once the comment is posted and live, every visitor logging into the blog post will have their data stolen.
Here’s how the attack will happen:
- The hacker enters the attack code in the form of a comment
- The malicious code now becomes a part of the website
- A visitor clicks on the web link and opens the page on their computer
- The code is also downloaded along with the page data
- The user clicks on the ‘login’ button to make a comment
- He/She is redirected to a duplicate login page created by the hacker
- The visitor enters their data and clicks ‘enter’
- They are redirected to the original login page while their login data is saved by the user
- They are confused and re-enter the login credentials
- Now they are logged on to their account
- The user has no clue about the scripting attack that has stolen their user data
- They post the comment and go about their way
- On the other side, the hacker used their precious data to leave nasty comments or even steal their social media accounts
All of this happens while the visitor has no clue that their precious data had been stolen by an unknown hacker.
What are the types of cross-scripting attacks?
There are three different types of cross-scripting attacks that are common out there -
This attack happens when the payload for the attack has been stored in a local database. The attack will be initiated when a visitor tries to retrieve that data from the particular storage.
This is common in areas where the payload is a part of the request. Search results are a good example of places where a reflected XSS attack can take place. The websites which require users to enter data are also a common area for the reflected XSS attack.
This attack occurs when the payload is triggered by modifying the HTML DOM of a website.
What are the different ways to prevent cross-scripting attacks?
There is no one fixed approach to preventing cross-scripting attacks. Hackers come up with a variety of ways to exploit the vulnerabilities in a website. However, cross-scripting attacks can be prevented by sanitizing user inputs in a proper way. Here are some measures to make sure that user inputs cannot be stolen from your website.
Add the concept of Allowlist Values
The first step you can do is restrict user data to a specific allowlist value. Adding a drop-down list is a great example of this concept. However, this can only work for predetermined values and not custom values like the username.
Try to avoid and restrict HTML in inputs
While HTML might be needed for rich content, it should be limited to trusted users. If you do allow styling and formatting on an input, you should consider using alternative ways to generate the content such as Markdown.
Finally, if you do use HTML, make sure to sanitize it by using a robust sanitizer such as DOMPurify to remove all unsafe code.
HTML code is only needed for rich content on your website. More than that, it should only be limited for use by trusted users on your website. However, if you allow users to style and format their entries, that could be a problem for you. In this case, you need to find alternate ways to generate it as Markdown.
Always sanitize your values
When you are using user-generated content to a page, ensure it won’t result in HTML content by replacing unsafe characters with their respective entities. Entities have the same appearance as a regular character, but can’t be used to generate HTML.
When you are using UGC (user-generated content) on your page, always sanitize your values. Make sure that your content does not result in HTML content being replaced by unsafe characters. Make sure that the entities have the same appearance as a regular character on your website. This way it cannot be used to generate HTML code.
Cross-site scripting attacks are preventable when you take the right steps to prevent them. Always follow safety procedures and keep updating your website to make sure it cannot be attacked by an external entity.