Cross site scripting (XSS)

                                                                                  What is it XSS ?

XSS which stands for cross site scripting it is a web application related vulnerability and is commonly found within web based applications, i.e., websites. Web applications are used in the web browser and are hosted on web servers. This type of attack occurs when the attacker injects "HTML" (S, 2020), JavaScript or other scripts within a web application such as a website, these scripts contain malicious codes/script. This becomes a problem because this type of attack can be injected inside trusted and validated websites frequently visited website, when a user accesses these websites that have malicious code injected in them it can prompt the users to perform actions on that website which will lead to a serious issues.

 An example of this could be that a code is injected which prompts the user to "create" a new post, which to the user who visits this website seems normal but the code which was injected can lead to other consequences i.e., it can be used to steal user data by prompting them to enter their personal details before being allowed to post due to "verification process" which is in fact just a front to steal data. It can also be used to steal user accounts, take control, link to harmful content etc. Or you click a submit button but "unintentionally you transfer $100" (Bright Security, 2021).

XSS is split into three types,

(1) Reflected XSS - (2) Stored XSS - (3) DOM based XSS

How it works

The main types of attacks in XSS are the three mentioned above, so how exactly do they work ? 

1. In this method of XSS, a web form or a URL contains the malicious script, this means that the attacker can create a malicious script and have it "embedded into URL" (Tozzi, 2023) which is needed for the users to visit the website, but the attacker can make this URL malicious by via XSS. The script is included in the server response and is run by the user's browser, this means that when a user clicks on the link it will activate the malicious content of the script. 

2. Of the two (reflected and stored) stored XSS "is the more damaging of the two" (Online: nodate) In this method of XSS, the malicious script/code is kept on the target server indefinitely meaning it is there permanently, Usually in the database because the database for a site is a storage type for a site which always needs to be active otherwise there will be no saved information or history of any information about users that access the sit, i.e., no saved passwords, usernames, emails etc. The script is then delivered and run by the user's browser when they view the infected page.

                                          Video Demonstration of XSS

 

3. In this method of XSS,  malicious script tampers with a web page's Document Object Model (DOM), this is the programming interface for HTML and XML, this is what allows the scripts to engage with elements within a web page such changing size of text boxes causing odd behaviour or security problems, by changing the elements of the web page. "Majority of DOM XSS vulnerabilities can be found and reliably using Burp suite's web vulnerability scanner" (Online: nodate)

Demo:

This is the lab that we are going to go through, simply click access lab to start the lab.

Dom based XSS allows us to manipulate elements within a webpage such as a search box, text box etc, in this example we're going to manipulate the HTML contents of the div element, this can be done via using data from  "location. Search". 

A div element acts like a container for HTML elements such as "heading", or "paragraph", this means that we can manipulate an element such as heading and paragraph as its a "div" element.

To do this we are going to use the search bar found within the blogpost and enter our script.

The HTML element that we're going to use is "<img src=1 onerror=alert(1)>"

The breakdown of this script is that "img src=1" is invalid, because what the element is trying to do is search for an "img" but "1" is not a valid image, so it will instead return an error, but this error is "alert(1)", meaning an alert box will appear reading "1". 

This completes the Lab 

Although this seems very simple and it is, this can be used effectively by attackers by replacing "alert(1)" with malicious content such as linking to harmful content or redirecting to another site which automatically downloads malware and viruses. 

For example, "window.loc........." (full code is not shown for the purpose of security) can be used to link to a site which contains malicious content instead of returning "alert" box containing "1".

Potential Impacts

XSS Attacks can cost up to tens of thousands ! 

"All of the CIA policies can be dishonored" (Yang et al., no date:4)by performing XSS attacks, There are several impacts of XSS attacks which can affect companies in terms of integrity, confidentiality and availability.

The way XSS attacks affect confidentiality is via attacks that allow the attacker to steal the information of victims, one example of this can be stealing cookies. With XSS attacks it is possible to steal the cookies of a victim and then use their personal information to impersonate and steal further information as cookies can contain login details. Attackers will effectively have control of their victims accounts allowing them to login and find their confidential information.

Integrity is also affected by XSS attacks, because with XSS attacks it is possible for attackers to modify and change content of a web page such as information of users or the web page itself. This can be done using DOM based XSS attacks that allow the attacker to change/modify elements within a webpage such as tables and the content inside them. This affects integrity because some websites are by companies to provide latest updates and news about their company, if hackers are able to modify the web page and changed important information they can add/modify information which is outdated, unrelated or even malicious.  This will lead to a lost of trust and damage the reputation of a company for providing misleading, outdated and malicious information.

The availability is also affected by XSS based attacks by causing key features, elements and functions on web pages to break or not work as intended. An example could be that on a website there is a tab which leads the user to the latest updates from the company about their hires or employees, the attacker can render this tab function useless by causing it to break or leading the victim to another page which can be malicious. Reflected XSS attacks can also cause a big number of requests to a webpage creating a DDOS attack if the servers are incapable of handling such a large number of requests. 

Figures and measuring has also been done of XSS showing how and if XSS "attack violates" (Mack et al., 2019:13) the CIA triad.

Causes and Solution

1. Reflected XSS attacks are also usually caused by issues and problems found within Stored XSS attacks, therefore the recommendations for Stored XSS can be used here as well and also have similar causes. Such as both being involved in inadequate input validation. Some causes for reflected XSS attacks are;

• User-provided data that is directly included in URLs without sufficient validation or output encoding frequently results in reflected XSS vulnerabilities. An attacker might create a malicious URL that injects executable script code, for instance, if a search query parameter is mirrored in the URL without the necessary encoding.
• When online applications communicate with websites or services operated by outside parties and sites, reflected XSS attacks can be made easier for the attackers to implement. An XSS vulnerability can arise if user-supplied data is sent to outside sources and then returned in the application's response without sufficient validation and encoding.

Some of the solutions for Reflected XSS attacks are;

• Making sure that all user-supplied information is correctly verified and sanitised as this has been used and tested by professionals showing that it "prevents web applications from XSS attacks" (Patil and Patil, 2015:1) , this is important especially with information contained in URLs and form submissions. You can also use whitelisting or input filtering to only allow safe and expected characters by validating input against anticipated forms/scripts.
• When the programme responds with user-supplied data, utilise context-specific output encoding or escaping, and depending on the output context use the proper encoding routines, such as JavaScript and HTML encoding.

2. Stored XSS occur because attackers are able to inject malicious code inside the database of a web application such as a comment box as it allows users to post comments which will remain on the website indefinitely. The usual causes for this type of attack are;

• When encoding web sites, user-generated material must be appropriately encoded to prevent the execution of inserted scripts, when the user-generated material is displayed on the web pages without proper encoding. Failing to do this can lead to attackers being able to inject scripts.
• The lack of input/output validation and the use of insufficient secure coding techniques are examples of inadequate security measures that might result in stored XSS vulnerabilities.

In order to mitigate and solve Stored XSS attacks the following can be tried and implemented;

• Strict input validation should be implemented by verifying and sanitising user-provided data and it is shown that even though it may not be effective against a lot of instances it is still "useful as a first level of defence" (Bisht and Venkatakrishnan, no date:1). To guarantee that only anticipated and secure data is received, use whitelisting or input filtering.
• When presenting user-generated content on web pages, make sure to properly encrypt or escape it. Depending on the context such as, HTML and JavaScript and ensure to use the correct encoding routines.
• The use of quotes to attributes is also worth looking into because attributes that have added quotes can only be escaped via quote to which it corresponds. 

3. Dom based XSS occur because attackers are able to manipulate/modify Document object model of webpages in order to execute their malicious scripts. This type can be caused by;

• Insufficient validation or sanitization of user-generated data that is used in client-side operations will make it so applications that extensively rely on JavaScript and dynamically alter the DOM insecure. This means that these applications are vulnerable.
• Incorrect or unsafe JavaScript code techniques such as using innerHTML or eval() without adequate validation might cause security holes that attackers can take advantage of. This means that having employees who are still new to JavaScript code web pages isn't a good idea as they can use outdated or less secure coding techniques for webpages.

This type of attack can be mitigated as well by following the steps below;

• Regular security audits and penetration tests should be carried out in order to spot and fix vulnerabilities.
• Users should be made aware of the dangers of XSS attacks and urged to take caution when dealing with websites and avoid clicking on shady links. In other words simply training employees and customers about XSS attacks and sending out regular warning about improper links etc. 
• Use security headers to further defend against XSS attacks, such as X-XSS-Protection and X-Content-Type-Options, in others words enhancing defence against Cross-Site Scripting (XSS) assaults by using certain HTTP response headers.
• The use of security frameworks and libraries, such as sanitization libraries or security-focused web frameworks, that come with built-in defences against XSS vulnerabilities. These will provide an extra layer of pre-loaded security features against latest attacks.