IntroductionFor the past 15 years, the Open Web Application Security Project (OWASP) has helped organizations develop, purchase, and maintain trusted applications and APIs. Show OWASP is a well-respected, open community known for many free resources, such as application security tools and standards, books on application security testing, secure code development, secure code review and several cheat sheets on many application security-related topics. However, OWASP is best known for regularly publishing its Ten Most Critical Web Application Security Risks list. What Is Cross-Site Scripting (XSS)?With a presence going back to the early days of OWASP’s 2004 list, the risk of cross-site scripting (XSS) remains a significant threat in 2017, as it can be found in around two thirds of all applications. An XSS flaw can happen whenever an application includes untrusted data in a new web page without adequate validation or
escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. This allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface web sites or even redirect the user to a malicious site.
A typical XSS attack may involve session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as fake login panels), attacks against the user’s browser such as malicious
software downloads, key logging and other client-side attacks. The problem is, an XSS vulnerability is quite easy to detect and exploit, since its three forms can be identified with the help of automated tools and subsequently attacked with the help of freely available exploitation frameworks. The usual impact can be somewhat moderate for reflected and DOM XSS, but rather severe for stored XSS. This includes arbitrary remote code execution on the victim’s browser that can lead straight to
credentials and sessions stealing, or creating a channel for delivering malware. Cross-Site Scripting (XSS) Case StudiesA notorious cross-site scripting flaw was the case with eBay’s stored XSS vulnerabilities. It was discovered in 2015, but was still being exploited in 2017 to steal credentials. For cybercriminals, exploiting this vulnerability was trivial, as eBay’s website allowed the inclusion of malicious JavaScript in auction descriptions. Early attacks
involved abusing this vulnerability to inject malicious redirect code on high-value listings (like vehicles) and stealing login credentials from eBay members. As more accounts were compromised, the attacks expanded into lower-value item listings. Legitimate listings from reputable, and yet compromised, eBay accounts were also affected. How Can I Prevent XSS Attacks?During OWASP’s Top Ten 2017 update, Cross-site scripting lost a few positions to other risks such as injection, broken authentication, sensitive data exposure, XML external
entities (XXE), broken access control, and security misconfiguration. But the fact XSS still holds the seventh position means it cannot be overlooked. Another option is enabling a content security policy (CSP). This is a defense-in-depth mitigating control against XSS. It creates an additional security layer, enabling server admins to limit XSS entry vectors by specifying the domains that the browser should consider to be valid sources of executable scripts. In this case, a CSP compatible browser will be limited to executing scripts loaded in source files received from those whitelisted domains, completely ignoring all other scripts (including inline scripts and event-handling HTML attributes). In a more extreme approach, a CSP can globally disallow script execution on a site. Once you decide on your XSS fixing approach, using a vulnerability scanner is the best way of confirming the issue been fixed. ConclusionTo put it
simply, it is not likely the XSS menace will disappear in the coming years. The best way to avoid a serious problem is, as usual, taking a proactive approach and implementing the necessary security controls. Otherwise, you may discover that, for example, every visitor to your site has being diverted to a malicious page. SourcesStored XSS in ebay messages filenames Hackers still exploiting eBay’s stored XSS vulnerabilities in 2017 WordPress 4.9.2 Security and Maintenance Release Drupal core – Critical – Multiple Vulnerabilities – SA-CORE-2018-001 OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet OWASP DOM based XSS Prevention Cheat Sheet Content Security Policy (CSP) |