Cross Site Scripting (XSS) Attacks

By: Pooja

In this article, we are going to briefly describe the fundamental concepts of the cross-site scripting (XSS) attack.

Definition of XSS attack  

XSS comes under the category of code injection attacks. It is one of the most severe security vulnerabilities that exist in the web applications. It is ranked among the top 10 web application vulnerabilities by the OWASP. In this attack, the attacker injects judiciously crafted malicious scripts into the vulnerable web application. The origin of the XSS attack is the inappropriate filtering of the data being entered by any user, due to which an attacker easily introduces malicious code into the Web pages. These malicious scripts run on the client-side in the user’s Web browser. It enables an attacker to evade Same-Origin-Policy (SOP) that helps in separating the content of different web application.

XSS attack does not cause any harm to the web application, rather it targets the end-users of the web application. Once it is successfully executed, the attacker can gain access to sensitive information like cookie information, session token, etc. It may be triggered as an initial step to launch other cyber-attacks like phishing and to infect the benign user device with malware so that the infected device becomes a part of the botnet army. These bots then will be exploited to launch Distributed Denial of Service (DDoS) attacks on a massive scale. 

This attack usually exploits vulnerabilities in the web application that are built with a range of programming languages comprising PHP, Java, ASP.net, etc. Among all, PHP is a highly used language. An attacker can craft malicious code using a variety of programming languages consisting of JavaScript, VBScript, ActiveX, Flash. Most browsers use JavaScript to support dynamic web pages, therefore, attackers frequently exploit the JavaScript language to craft malicious attack vectors for XSS attacks. This drives XSS attacks as one of the most recurrently occurring and venomous attacks.

Consequences of XSS attack

XSS attacks can cause destructive consequences. Some of the most common and severe effects are described below:

• Cookie stealing: It is possible for an attacker to steal the cookie sent by the server containing session ID and take control of the user account and may perform malicious activities such as sending spam messages to fuser’s friends etc.
• Account hijacking: Attackers can steal sensitive information like financial account credentials or bank account login details for the use of their benefits. If account is hijacked, the attacker has access to the OSN server and database system and thus has complete control over the OSN Web application.
• Misinformation: This is a threat of credentialed misinformation. It may include malwares which may track the user like traffic statistics, leading to loss of privacy. Moreover, these may also alter the content of the page, leading to loss of integrity.
• Denial-of-Service Attack: Data availability is utmost important functionality provided by any enterprise. But the XSS attack can be used to redirect the user to some other fake web page so that he/she cannot access the legitimate website, whenever the user makes a request to that web page. Thus, the attacker successfully launches the DDoS attack. Malicious scripts may also crash the user browser by indefinitely blocking the service of the Web application through pop-ups.
• Browser exploitation: Malicious scripts may redirect the user browser to attacker’s site so that attacker can take full control of user’s computer and use it to install malicious programs like viruses, Trojan horses etc. and may get access to user’s sensitive information.
• Remote Control on System: Once the XSS attack vector is executed on the victim’s machine, it will open a way for the attacker to inject different malwares that help to gain remote access to the victim’s system. Thereafter, the system may perform malicious activity on the Internet or become part of the network to launch different attacks such as the botnet army.
• Phishing: When the user clicks on the malicious link sent by the attacker, then it may redirect the user to the fake web site designed by the attacker to gain access to sensitive information such as the user’s login credentials.

See more about XSS attack

• Top 10 web application vulnerabilities by OWASP. Available at: OWASP Top Ten Web Application Security Risks | OWASP.
• XSS attack. Available at: What is Cross-Site Scripting? XSS Cheat Sheet | Veracode.
• What is Cross Site Scripting attack . Available at: What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka – YouTube

XSS Attack Related Security Vulnerabilities

• SQL injection. SQL Injection | OWASP
• Cross-Site Request Forgery. Cross Site Request Forgery (CSRF) | OWASP Foundation
• Command Injection. Command Injection | OWASP
• XPath Injection. XPATH Injection Software Attack | OWASP Foundation
• CRLF injection. CRLF Injection | OWASP.

21400cookie-checkCross Site Scripting (XSS) Attacksyes