Guest Column | June 17, 2016

Life Imitating Art: Understanding The Dangers Of XSS Attacks

The Dangers Of XSS Attacks

By Jessica Foreman

Cross-site scripting, or XSS, is a vulnerability so common that not only is it number three on the OWASP top 10, but it also just become a real-life storyline related to the popular hacking TV drama Mr. Robot. When the USA Network launched the website promoting season two of Mr. Robot, a white hat hacker also immediately uncovered an XSS vulnerability that would have allowed an attacker to gather users’ Facebook information.

While Mr. Robot has consistently earned praise for its realistic portrayal of hacking, producers probably didn’t want to go this far to find real-life inspiration. Just think, if an XSS vulnerability can happen to a major television network in a position to be so thoroughly embarrassed by the irony of this situation, it can happen to almost anyone. And it does. That’s why developers need to understand this common vulnerability and know how to stop it.

Your User Input Is Invalid

XSS is a critical vulnerability in a cloud application that gives attackers the ability to run malicious code in a user’s web browser. For the most part, XSS takes advantage of invalidated user input and JavaScript. It might take a hacker a while to find the vulnerability in your system, but hackers tend to persevere because when it’s found it can lead to massive data breaches, especially if the attack is on an internal system used by an organization’s employees.

With so many different types of attacks, developers have a difficult time identifying all of the possibilities that can lead to a critical data breach. The best way to defend against these attacks is to understand how they work.

So What Does An XSS Attack Look Like?

You can’t defend against an attack if you don’t know what it looks like, so here's a simple XSS attack that is generally harmless but indicates that the application is vulnerable.

  •<script>alert('Your application is vulnerable to XSS!')</script>

The above URL uses the querystring variable “name” to provide input to the application. Developers expect to receive the user’s name from this variable, but attackers have found options that they find a lot more fun. This is why thinking like a hacker is important while creating applications. If you just take this input and print it to the user’s browser page, the script message “Your application is vulnerable to XSS!” appears.

Here’s a look at another example. Suppose the vulnerable application is sent the following URL.

  • http://<script>// <![CDATA[ alert(document.cookie) // ]]></script>

In the above example, the content of a cookie is shown. Now imagine that this cookie contains sensitive information such as an employee’s user name or a customer’s data. This can then be sent to the attacker, rendering his attack successful. These attacks are especially dangerous for internal cloud applications where users can see personal identifiable information for customers such as credit card numbers or social security numbers.

Exing Out XSS

XSS vulnerabilities are incredibly and annoyingly common, so you’ve got to put a little elbow grease into securing your application against XSS attacks. A good first step is getting ahold of an XSS attack example cheat sheet, like the one from application security software provider Checkmarx, in order to help you understand where you should be including security and backend scrubbing of your input data.

The next step is to take the information and implement it in your code. When input is sent through query strings, form POST requests, or even cookies, don’t immediately assume that the input is safe. Always write backend code needed to detect it and even log where appropriate.

Many developers encode input strings, so instead of printing “<script>” to the web page, the encoded < and > characters display “&lt;script&gt;” to the web page. This is harmless although it can interfere with the rendered text on the web page. If you see these encoded characters in your application, it’s possible that an attacker was checking your site for vulnerabilities.

Even if you aren’t a major network behind a show about hacking, falling victim to an XSS vulnerability is going to be embarrassing (not to mention potentially devastating and costly), simply because XSS attacks are such a known threat. Secure your applications, which will secure your reputation.

Jessica Foreman is a Durham University graduate specializing in business and lifestyle based writing. She has developed her skills on projects surrounding The British Broadcasting Company and running a print and online based magazine whilst at university. She is currently looking towards starting her Masters in Mobile and Personal Communications as well as broadening her horizons through traveling.