Cross-site Scripting, or XSS, is a type of computer vulnerability that is commonly found in web applications, that allows an attacker to inject malicious client-side scripts into web-pages that get executed when other users visit that page.
XSS attacks occur when an attacker uses a web application to send a malicious code, or browser script, to a multiple end-users. XSS attack vectors are usually inserted in input fields.
A typical attack vector used to test XSS is:
Types of Cross-Site Scripting Attacks:
Generally, there are three types of XSS attacks:
- Reflected Cross-site Scripting
- Stored Cross-Site Scripting
- DOM-based Cross-site Scripting
1. Reflected XSS:
In this variant of XSS, the attacker injects the malicious browser script and it gets executed instantly on the client-side, in the form of a pop-up message box. The returned response can be a search result, error message, and so on.
2. Stored XSS:
In the case of Stored XSS, the malicious browser script may not execute instantly, instead it gets stored on the target server, and whenever that webpage is loaded or refreshed, each time the script gets executed.
3. DOM-based XSS:
The DOM, or the Document Object Model, is a programming API for HTML and XML documents. It defines the logical structure of documents and how a document is accessed, handled or manipulated. DOM-based XSS revolves around these Object Models.
DOM-based XSS is an XSS attack where the attack vector is executed as a result of modifying the DOM environment in the victim’s browser used by the actual client-side script, resulting the client-side code to run in an unexpected manner. Simply put, DOM-based XSS attacks occur when the entire flow of malicious data takes place within the victim’s browser.
How Cross-Site Scripting works:
The image below shows the execution of an XSS attack to steal a user’s cookie:
In the image below, the query parameter is reflecting back my input (hello), both in the URL and on the web-page itself, so it might be vulnerable to XSS.
What happened here is, the webpage took my malicious script as a legitimate piece of code, and executed the function of alert that I had put it in there, resulting in a pop-up message box as the response.
Mitigations (Preventions for an XSS Attack):
- Escaping User Input
- Sanitizing User Input
- Validating User Input
- Using Security Headers; like X-XSS-Protection.