With the world so focused on Magecart and Fomjacking attacks, it’s easy to forget one of today’s greatest threats to online security – Cross-Site Scripting (XSS). Unfortunately, we are all-too-often reminded why it’s so important to pay attention to them. XSS attacks have been around for a while (who can forget the infamous 2005 attack of the then-popular social media network, MySpace?), but they are still a current and growing threat today. In fact, XSS attacks are still considered one of the top 3 most frequent types of attacks. According to the bug bounty platform HackerOne, XSS are consistently the most common type of vulnerability reported on the site.
As you can see, just because they’ve been around for quite some time, doesn’t mean we are anywhere near solving the risk of XSS vulnerabilities.
But before we dive into more troubling stats, let’s discuss the nature of XSS attacks. In an XSS attack, the hacker is able to exploit a website by injecting malicious scripts and use them to access users’ online information and online activity (such as their cookies data). When a site is vulnerable to such attacks, it allows hackers to use its domain (mainly the path section of the address) for the purpose of loading the code to the web page and extracting all related information from the users.
Attacks can be even more severe if they manage to trap users with elevated privileges related to the affected web application. In these cases, hackers gain access to even more information and control.
How does it work, exactly?
Cross-Site Scripting, aka XSS attacks, involve a malicious script that hackers insert into websites with a flawed and vulnerable validation process. The script, which in many cases infiltrates a highly trusted and heavily used website, is used to convince innocent end-users that the content they are watching or consuming belongs to the main site. Attackers can then collect data and steal information and resources. XSS attackers are able to make serious changes to the website and even modify its HTML page information. The XSS malicious script allows hackers to infiltrate the users’ cookies data, hijack sessions, redirect links, access personal information, and much more.
What makes these attacks possible are flaws in the security level of web applications. These apps allow access to untrusted and unvalidated data that is supplied by external website users, rather than website owners themselves. Having said that, Document Object Model (DOM)-based XSS attacks, which date back to 2005 but are still considered newer than other forms of XSS, have a unique character. These attacks, also known as type-0 attacks, are based on client-side JavaScript code instead of the web application’s server-side. This means that the attacks occur within the users’ browser and modify his or her environment.
What is the impact of XSS?
As we’ve mentioned, XSS attacks are an epidemic. What we’ve been witnessing in recent years is the growing impact of these attacks in terms of frequency and volume. Here are a few examples:
- In 2015, hackers exploited vulnerabilities in two very popular WordPress plugins to access a long list of websites. A virtual patch was able to stop the exploit, but the plugin creators reported that the DOM-based flaws were “very tricky to block.” Abusing these plugins gave hackers access to countless websites and an unimaginable volume of information.
- A famous attack that occurred in the earlier days of Twitter managed to reach none other than the UK Prime Minister’s wife, Sarah Brown, who unknowingly shared a flawed file with millions of her followers. What’s interesting about this attack is that to be affected by it, users didn’t even have to click the shared link, but just hover over it.
- A well-known website that is repeatedly exposed to XSS attacks is eBay. In 2016, the website unknowingly exposed millions of users to nearly undetectable phishing schemes. A couple of years earlier, attackers used cheap iPhones as phishing bait. eBay is constantly working to improve its protection levels, and yet reports of XSS vulnerabilities continue to surface every now and again.
- When banking or other finance-related services are involved, the information accessed and collected by hackers is that much more critical. A recent XSS bug was discovered in Google’s invoice submission service, which could have potentially allowed the alternation of invoices, as well as the large-scale infiltration of more Google accounts and services. Google is always working on improving its defenses against these attacks, which also use different Chrome-related services, such as the company’s PDF viewer.
Can XSS attacks even be prevented?
So far, we’ve painted a rather disturbing image in this article, but there is a light at the end of the tunnel. There are, in fact, several ways to address and prevent XSS attacks from taking over your website. Here are a couple to consider:
- As we’ve mentioned, the source of all XSS evil is unvalidated data, which means that websites that take the time to carefully validate the data might be able to prevent these attacks. This takes some extra steps, but when done correctly can definitely help.
- Addressing the specific and common problem of DOM-based XSS attacks, website owners can use unique sandboxing techniques that do not allow attackers to distinguish the real website from the sandbox, thus releasing the malicious code into a secure environment, where it is studied and mitigated in advance. This approach, which was developed by Source Defense, gives website owners back control over the process and turns the tables so that the attackers are now in the dark as to what is really going on. The website continues to operate uninterrupted, while the attack is completely prevented.
Websites that serve millions of users worldwide hold an increased level of responsibility. They should be aware of any new trends in the security world, but must not be blinded by them or forget about the old and common hacking techniques. XSS attacks happen all the time and cause serious damage to resource and reputation. But most importantly, they can – and should – be prevented.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
