Cross-site scripting (XSS) attacks are a type of malware attack that injects malware code into otherwise normal and secure websites. Hackers use flaws or vulnerabilities in a web application (script) to send malware to users on the websites. Users trigger the malware when they click on the application inside the website or when the web page itself is loaded.
Organisations and companies running scripts on their websites can leave the door open to XSS attacks if they display content from users from untrusted sources without proper validation.
The definition of cross-site scripting (XSS) attacks
XSS attacks happen when an attacker tricks a web application into sending data in a form that a user's browser can execute. Most often this is a combination of HTML code and XSS provided by the cybercriminal, but XSS can also be used to deliver malicious downloads, plugins or media content.
An attacker is able to trick a web application in this way when the web application (script) allows data from an untrusted source - such as data entered into a form by users or passed to an API endpoint by client software - to be displayed to users without being properly processed.
Because XSS can allow hackers to insert malicious code into users' browsers and gain access to some types of data, such as session cookies, an XSS vulnerability can allow an attacker to take data from users and dynamically include it on web pages, taking control of a website or application.
Malicious content delivered through XSS attacks can be displayed instantly every time a page is loaded or a specific event is performed. XSS attacks aim to steal personal information from users of a web application, and the attacks can be particularly effective because they appear on well-known and trusted websites and target everyone who uses those websites.
More simply put, cybercriminals insert malicious scripts into a website's content, which are then included in the dynamic content delivered to the user's browser. Most browsers may not know that the malicious scripts are dangerous and therefore execute them.
The term "cross-site scripting" refers to scripts across websites that are being attacked.
Types of XXS attacks
The three most common types of XXS attacks are reflected XXS, persistent XXS and DOM-based XXS.
Reflected XSS attacks
This is one of the most commonly used cross-site scripting attacks. It takes place, for example, when the user sends a request to a website's server. Instead of getting a response from the server itself, the user may come into contact with a malicious script that will contain malware. The script may be designed to look like a normal error message or perhaps a search result.
The user will often click on the link or message and the user's device will then be infected with the malware as the click triggers the execution of the malicious code. Then, all the information that the user enters will be sent to the hacker. This could be search engine addresses, login details, personal data, etc.
DOM-based XSS attack
This is a type of attack that relies on the DOM (Document Object Model). The Document Object Model (DOM) is the data representation of the objects that comprise the structure and content of a document on the Web.
The DOM allows the user to access the complete content of the website without having to interact with the server in question. In DOM attacks, the hacker focuses on the victim's browser.
Persistent XSS attack
This is also known as Stored XSS and is an attack that happens when an application or a website's HTTPS responses have all been infected with malicious code. For example, the malware may be stored in the website's comment area, where it will be triggered as soon as someone clicks on the comment area.
Persistent XSS is quite harmful as the hacker has already inserted the malware on a website. The victim should not be tricked into clicking on a link. It is enough to use a random function on the web page that is infected with the malware for the attack to happen.
Whereas persistent XSS and reflected XSS attacks show signs of something suspicious on the HTML response page, it is different with DOM XSS attacks. In DOM XSS attacks, you have to look at the website's code to detect the attack.
The consequences of cross-site scripting attacks
When hackers manage to exploit XSS vulnerabilities, they can gain access to credentials. They can also spread viruses or gain access to the user's computer and view the user's browsing history or remotely control the browser. After gaining control of the victim's system, attackers can alsoand exploit other applications.
By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:
- Spread malware on a user's device
- Access browsing history and clipboard content
- Remotely control a user's browser
- Access sensitive data
- Scan and exploit various applications
- Redirect the user to a malicious website
- Record user keystrokes
- Obtain cookie information from the user
How to identify script vulnerabilities across websites?
XSS vulnerabilities can occur and be detected if:
- Input coming to web applications is not validated
- Output to the browser is not HTML encoded
Preventing scripting across websites
To minimize cross-site scripting vulnerabilities, website developers or owners can ensure that:
- Update their site and server software to prevent future exploitation of vulnerabilities that could be exploited through an XSS attack.
- Scan for any vulnerabilities in web applications and have them fixed.
How users can protect themselves from cross-site scripting attacks
Users can protect themselves from XSS attacks by:
- Disabling scripting on pages where it is not needed, or disabling it altogether.
- Avoid clicking on links from suspicious emails or pop-up advertisements as they may lead the user to compromised websites.
- Go directly to websites by entering the URL in their browser instead of clicking on links.
- Keep their device's software updated with the latest security patches so that there are no security holes. Regularly updating software will reduce the number of vulnerabilities that make a website or applications vulnerable to XSS attacks.
- Review its apps to determine which are necessary and which the user rarely uses. Removing apps that are rarely used reduces the number of potential vulnerabilities that can be exploited by hackers.
- Use high-quality antivirus tools. They block many types of cyber threats such as viruses, spyware and ransomware.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.