This tutorial describes the types of XSS attacks and the best security measures to test your frontend code against such attacks. Moreover, it educates developers about programming best practices for secure coding.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (also known as XSS) is a kind of web application vulnerability that uses malicious scripts to control a browser.  Javascript is often used by attackers to attack web applications. The exploit nullifies access-control policies e.g., the same-origin policy that mitigates suspicious requests or events between web pages originating from different clients. An attacker can gain full access to any user’s data on the web application that is vulnerable to XSS attacks.

According to the statistics reported in [4], the ratio of XSS attacks as compared to other cybersecurity attacks per year is depicted below in the chart.

Types of XSS attacks

XSS attacks are generally categorized into three basic types.

  • DOM-based XSS: When an attacker can read requested DOM elements by the victim and can send malicious scripts in response.
  • Reflected XSS: When a users clicks on a malicious link that containts Javascript. This javascript wil be injected locally on the victims browser.
  • Stored XSS: A database-based malicious script that plays with the incoming users' requests.

XSS Attacker Journey

An XSS attack is performed by the execution of malicious client-side code that is injected into a trusted web application by the attacker in the user-provided inputs by exploiting XSS vulnerabilities.

A graphical depiction of the XSS attacker journey is given below.

Courtesy of Cloudflare

For instance, an attacker sends a trusted link with a malicious script embedded, as given below, to the victim to click on it. After clicking, the malicious script will be executed on the client’s system thus giving the client’s information to the attacker. The alert function depicted in the link below can be replaced with any malicious code. Similarly, the attacker can steal the sessions and cookies information of the victim and then masquerade as an actual user on the particular web application.

https://exampble.com/login.php?arg=<script>alert('malicious_script');</script>


For a better understanding, let us consider a scenario where a web application takes input from the user and returns the search result against that input.

http://example.com/search?par=car

The above URL will return the search result against the word “car”. Let's assume that the input parameter (par) is not validated at the backend and the attacker embeds a malicious javascript code inside the parameter (per), such as:

http://example.com/search?par=car++%3Cscript%3EMALICIOUS_SCRIPT()%3C/script%3E

When this URL opens up at the client-side, it will look like this:

<p>Your search for 'flowers <script>MALICIOUS_SCRIPT ()</script>'

The function MALICIOUS_SCRIPT() will then be executed and may perform a very damaging effect on the client-side.

What are the Best Secure Code practices to avoid XSS Attacks?

The damages that occur due to the presence of XSS vulnerabilities could be catastrophic. Data or information leakage in the modern age is unbearable and could lead you to court. The greater the volume of user profiles on your web application, the higher will be the risk of cyberattacks and intrusions online. Therefore, your web application's cybersecurity and defense mechanism must be as important as its design and architecture.

Due to the high demand for web application security, software developers should always take care of the security breaches that might occur during the development process and after the production phase. The developers must adopt secure code practices to always stay on the safe side and perform efficiently. Some of the secure code practices include:

· Always go for development frameworks; they are mostly secure

· User-provided input fields must be handled securely

· Adopt encoding mechanism on the outputs

· Validate user inputs before processing

· Always follow the defense-in-depth principle

· Always follow cheat sheets provided by OWASP

· Use appropriate response headers

· Design content security policies

· Post-development analysis of the web application

· Stay updated on XSS preventions techniques and follow HacWare's secure code twitch series.

How to Test your Javascript code for XSS Vulnerabilities?

XSS vulnerabilities usually exist where the user-provided input fields are given on the web application, such as on login/ registration and contact pages. The attackers or intruders inject their malicious scripts at the backend of the input fields. When a victim enters the information inside the input field, the malicious script performs an undesirable activity against the information. In short, XSS attacks can be tested and avoided by sanitizing input fields both on the HTML side as well as the javascript side.

The evaluation of your web application against the Reflected and Stored XSS attacks requires extensive manual testing of the user-provided input field using different simple and complex inputs, such as alphanumeric, special characters, and javascript codes. Similarly, observing the HTTP response on the browser against each input and identifying any intrusion at the backend or analyzing any corner case where the input information can be compromised. DOM-based XSS vulnerabilities can be tested by passing simple and complex inputs in the URL and observing the DOM elements against those inputs using the browser’s developer tools.

Due to the exponential growth of XSS attacks, many automatic XSS testing tools are now available online where you can test your web application at ease. A list of some free and paid XSS testing tools is given below.

  • XSS Scanner
  • XSStrike
  • Maria-Grabber/XSS-Scanner
  • Acunetix
  • OWASP zap XSS Scanner
  • IBM Rational AppScan
  • Burp Suite
  • Zed Attack Proxy
  • https://xss-scanner.com/
  • XSS Hunter
  • XSSER
  • Pybelt

Final Thoughts

This tutorial highlights one of the most exploitable web application vulnerabilities. It also explains how attackers can compromise the web application functionalities and steal data from the client side. XSS vulnerabilities may result in a great loss and can bankrupt the company due to its user's data leakage. The mitigation of these vulnerabilities is very challenging as it requires extensive manual testing of the frontend code or by use of free/ commercial security tools available online. Similarly, XSS attacks can be avoided by following the attack prevention techniques and adopting secure code practices since the start of the project.

Check out our Cybersecurity API?

HacWare offers a powerful API for softwar developers to launch next generation (Next-Gen) cybersecurity education programs to combat phishing attacks with a few lines of code.  To learn more about our powerful security awareness API and developer program, click here to apply .

References

1. https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/

2. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

3. https://www.cloudflare.com/en-gb/learning/security/threats/cross-site-scripting/

4. https://www.thesslstore.com/blog/everything-you-need-to-know-about-cross-site-scripting-attacks/

5. https://www.forcepoint.com/cyber-edu/defense-depth

6.https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

7. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP


HacWare makes it super easy for Software Developers and IT teams to launch hyper custom cybersecurity education solutions to combat phishing attacks. Learn more about HacWare at hacware.com.  

Also, check out our free secure code streams on Twitch!