A Complete Guide to Cross Site Scripting (XSS) Attack, how to prevent it, and XSS testing.
Cross Site Scripting (XSS) is one of the most popular and vulnerable attacks which is known by every advanced tester. It is considered as one of the riskiest attacks for the web applications and can bring harmful consequences too.
XSS is often compared with similar client-side attacks, as client-side languages are mostly being used during this attack. However, XSS attack is considered riskier, because of its ability to damage even less vulnerable technologies.
Introduction to XSS Attack
Cross Site Scripting attack is a malicious code injection, which will be executed in the victim’s browser. Malicious script can be saved on the web server and executed every time when the user calls the appropriate functionality. It can also be performed with the other methods – without any saved script in the web server.
The main purpose of this attack is to steal the other user's identity data – cookies, session tokens and other information. In most of the cases, this attack is being used to steal the other person‘s cookies. As we know, cookies help us to log in automatically. Therefore with stolen cookies, we can login with the other identities. And this is one of the reasons, why this attack is considered as one of the riskiest attacks.
How is XSS Being Performed?
This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim’s browser or stored in the database and executed every time, when the user calls the appropriate function.
The main reason for this attack is inappropriate user’s input validation, where malicious input can get into the output. A malicious user can enter a script, which will be injected into the website’s code. Then the browser is not able to know if the executed code is malicious or not.
Therefore malicious script is being executed on the victim's browser or any faked form is being displayed for the users. There are several forms in which XSS attack can occur.
Main forms of Cross Site Scripting are as follows:
Cross Site Scripting can occur on the malicious script executed at the client side.Fake page or form displayed to the user (where the victim types credentials or clicks a malicious link).On the websites with displayed advertisements.Malicious emails sent to the victim.
This attack occurs when the malicious user finds the vulnerable parts of the website and sends it as appropriate malicious input. Malicious script is being injected into the code and then sent as the output to the final user.
Also, it can be a script executed on the other event.
For Example: On a mouse hover.
<b onmouseover=alert(‘XSS testing!‘)></b>
Let us analyze another Example: Consider, we have a page, where the latest book review is being displayed on the website.
The code of this page will look as shown below:
print "<h1>Latest book review</h1>"
Therefore, in the review field if a malicious user types something harmful, then it will be loaded on this page.
For Example: Consider, that in the review field if a hacker types the below code.
Then on the page load function destroyWebsite(); would be called and it will perform its harmful actions.
As most of us know, this attack is mostly used to gather the other person’s cookies, which can be used to log in with the other identities. Let us analyze another example of possible XSS script with possible cookies theft.
For Example, through the vulnerable website’s field, the hacker injects the appropriate code.
As seen in the indicated Example, cookies are escaped and sent to example.php script’s variable ‘cookie_data’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.
Types of Cross Site Scripting Attacks
The prime purpose of performing XSS attack is to steal other person’s identity. As mentioned, it may be cookies, session tokens, etc. XSS also may be used to display faked pages or forms for the victim. However, this attack can be performed in several ways.
This attack is divided into three main categories as shown below:
#1) Reflected XSS – This attack occurs, when a malicious script is not being saved on the web server but reflected in the website’s results.
#2) Stored XSS – This attack occurs when a malicious script is being saved on the web server permanently.
#3) DOM – This occurs, when the DOM environment is being changed, but the code remains the same.
Let's take an in-depth look at them.
#1) Reflected XSS
This occurs when the malicious results are being returned after entering the malicious code. Reflected XSS code is not being saved permanently. In this case, the malicious code is being reflected in any website result. The attack code can be included in the faked URL or HTTP parameters.
It can affect the victim in different ways – by displaying faked malicious page or by sending a malicious email.
#2) Stored XSS
This attack can be considered riskier and it provides more damage.
In this type of attack, the malicious code or script is being saved on the web server (for example, in the database) and executed every time when the users will call the appropriate functionality. This way stored XSS attack can affect many users. Also as the script is being stored on the web server, it will affect the website for a longer time.
In order to perform stored XSS attack, the malicious script should be sent through the vulnerable input form (For Example, comment field or review field). This way the appropriate script will be saved in the database and executed on the page load or appropriate function calling.
Consider, we have a page where the latest user opinion is being loaded. Therefore, in the opinion or comment field would be typed with the script as shown below.
It will be saved in the database and executed on the page load, as the latest user opinion will be displayed on the page. If a website is vulnerable for XSS, then on the page load popup window with cookies will be displayed. This script is quite simple and less harmful. However, instead of this script, a more harmful code may be entered.
For Example, cookies may be sent to the malicious user or a fake page may be displayed in the victim’s browser.
#3) DOM XSS
This type of attack occurs when the DOM environment is being changed, but the client-side code does not change. When the DOM environment is being modified in the victim’s browser, then the client side code executes differently.
In order to get a better understanding of how XSS DOM attack is being performed let us analyze the following Example.
Consider, there is a webpage with URL http://testing.com/book.html?default=1. As we know, “default” is a parameter and “1” is its value. Therefore, in order to perform XSS DOM attack, we would send a script as the parameter.
How to Test Against XSS?
Firstly, in order to test against XSS attack, black box testing can be performed.
It means, that it can be tested without a code review. However, code review is always a recommended practice and it brings more reliable results too. From my software testing experience, I would like to add, that if a good black box testing technique is selected and performed accurately, then this should be much enough.
While starting testing, a tester should consider which website’s parts are vulnerable to the possible XSS attack.
It is better to list them in any testing document and this way we will be sure, that nothing would be missed. Then, the tester should plan for what code or script input fields have to be checked. It is important to remember, what results mean, that application is vulnerable and it analyzes the results thoroughly.
While testing for possible attack, it is important to check how it is being responded to the typed scripts and is those scripts executed or not etc.
Comparison with Other Attacks
Testing for XSS attack is quite similar to testing for the other possible client-side attacks. However, it is important to remember what additional cases should be checked while testing for XSS.
Another thing, that makes this attack riskier is the possibility to be stored in the web service – this way it can affect many users for a longer period of time. XSS sometimes can be performed to even less vulnerable systems and its vulnerabilities are sometimes difficult to be found.
Also, while comparing with the other attacks, XSS has many ways to be performed and affect the website as well.
Ways to Prevent XSS
Though this type of attack is considered to be one of the most dangerous and risky one, still a preventing plan should be prepared. Because of the popularity of this attack, there are quite many ways to prevent it.
Commonly used main prevention methods include:
The first step in the prevention of this attack is Input validation. Everything, that is entered by the user should be precisely validated, because the user’s input may find its way to the output. Data validation can be named as the basis for ensuring the system’s security. I would remind, that the idea of validation is not to allow inappropriate input.
Therefore it just helps to reduce the risks, but may not be enough to prevent the possible XSS vulnerability.
Another good prevention method is user’s input filtering. The idea of the filtering is to search for risky keywords in the user’s input and remove them or replace them by empty strings.
Those keywords may be:
Input filtering is quite easy to practice. It can be performed in different ways too.
By developers who have written server-side code.
Appropriate programming language’s library is being used.
In this case, some developers write their own code to search for appropriate keywords and remove them. However, the easier way would be to select appropriate programming languages library to filter the user’s input. I would like to comment, that using libraries is a more reliable way, as those libraries were used and tested by many developers.
Another possible prevention method is characters escaping. In this practice, appropriate characters are being changed by special codes. For Example, < escaped character may look like <. It is important to know, that we can find appropriate libraries to escape the characters.
Meanwhile, good testing should not be forgotten as well. It should be invested in good software testers knowledge and reliable software testing tools. This way good software quality will be better assured.
Prevention According to Technologies
As already discussed, filtering and characters escaping are the main prevention methods. However, it can be performed differently in different programming languages. Some programming languages have appropriate filtering libraries and some do not.
It should be mentioned, that filtering can be performed quite easily in Java and PHP programming languages, as they have appropriate libraries for it.
Java technology is quite widely used, therefore there are many solutions to it. If you are using Spring technology and if you would like to escape HTML for the whole application, then you have to write the appropriate code in the project’s web.xml file.
This code will switch HTML escaping for the entire application.
If you would like to switch HTML escaping for the appropriate page’s forms, then the code should be written as follows:
<spring:htmlEscape defaultHtmlEscape="true" />
There are many ready XSS filters in the form of a .jar file. I would remind, that .jar file have to be added to your project and only then its libraries can be used. One such XSS filter is xssflt.jar, which is a servlet filter. This .jar file can be easily downloaded from the internet and added to your project.
This filter checks every request that is sent to the application and cleans it from a potential injection.
When an external.jar file is added to the project, it also has to be described in the web.xml file:
Another possible solution is ESAPI library. ESAPI library is compatible with many programming languages. You can find ESAPI libraries for Java and PHP programming languages. It is an open source and free library, which helps to control the application’s security.
XSS Cheat Sheets
XSS Cheat Sheets can be very helpful for cross site scripting prevention. It is a guideline for the developers on how to prevent XSS attacks. The rules are very helpful and should not be forgotten while developing. XSS Cheat Sheets can be found in internet communities such as OWASP (The Open Web Application Security Project).
Different types of Cheat Sheets:
XSS Prevention Cheat Sheet
DOM XSS Cheat Sheet
XSS Filter Evasion Cheat Sheet
The main guideline would be XSS Prevention Cheat Sheet, as it provides common rules for XSS attack prevention. If you would follow DOM XSS Cheat Sheet and XSS Filter Evasion Cheat Sheet rules, you still would have to follow XSS Prevention Cheat Sheet.
As stated, XSS Prevention Cheat Sheet can be found in the OWASP community. This Cheat Sheet provides us with a list of rules, that would help us to reduce the risks of possible XSS attacks. It is not only the coding rules but also the security vulnerabilities on a prevention basis.
Few of the rules include:
**Untrusted data should not be inserted.
**HTML should be escaped before inserting any untrusted data.
**The attribute should be escaped before inserting the untrusted data, etc.
Hence, Cheat Sheet may be very helpful in preventing this type of attacks.
While testing, it is highly recommended to evaluate the risks that bring possible XSS attacks. XSS attack can affect web applications, that seem to be secure as well.
It is considered to be one of the most harmful and risky attacks. Hence, we should not forget this type of testing. While performing testing against XSS, it is important to have a good knowledge about this attack. And this is the basis to analyze the testing results correctly and choose the appropriate testing tools.
***An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics
For more tricks and update over hacking stay tuned to our site: Note 4 Tech