Cross-site scripting (XSS) is a type of attack in which a user’s Web browser is tricked into regarding a “script,” or block of computer code, as coming from a trusted website when it has actually been slipped in from a malicious source. The malicious script can do anything from letting the attacker view paid content without payment to stealing innocent users’ personal identification or financial credentials.
XSS attacks pose a threat not only to individual users whose browsers are misled, but also to companies and other organizations whose websites may be infected, letting attackers steal confidential customer information. For companies, this can mean both direct costs and damaging blows to their reputation.
As with other security threats, there is no “magic bullet” to protect against XSS attacks. However, by adopting security precautions and carefully reviewing website code, firms can protect themselves and their customers against these types of attacks.
Cross-Site Scripting Attacks: Abusing Web Tools
As noted by Nikita Gupta in a recent IBM MSS research paper, the origin of XSS attacks goes back to the early days of the Web, when the JavaScript language was introduced in 1995. This language provided Web designers with many useful tools, but it also made XSS possible. Cybercriminals discovered that code scripts disguised as ordinary text could be slipped into a website, which would then execute the unintended — and often malicious — script.
Vulnerability to XSS is not limited to JavaScript, however; other widely used Web design tools can also be exploited to allow for XSS attacks.
Today, these attacks can take three basic forms. Reflected XSS, in which the malicious script comes from an external Web page, is the first iteration to which the name “cross-site scripting” was applied. It is also called nonpersistent XSS.
However, the malicious script can also be stored in a server or database, in which case it is executed every time the page is displayed. Therefore, stored XSS is persistent. Finally, Document Object Model (DOM) scripting is done by modifying the DOM environment of the end-user victim’s browser, bypassing the Web server.
Current Trends in XSS
The peak incidence of reported XSS attacks was in 2013. The trend last year significantly plummeted as companies beefed up their defenses, and 2014 saw the lowest level of XSS activity since 2011. It remains to be seen what 2015 will bring, but vulnerability to XSS remains widespread.
According to the Hosted Application Scanning Management team at IBM, 17 percent of some 900 dynamic Web application scans showed a vulnerability to XSS. However, this data came from organizations with the most robust and mature security practices. A study by White Hat Security finds that nearly half of all sites (47.9 percent) are vulnerable to XSS attacks.
Guarding Against XSS Attacks
The first line of defense against XSS is sanitizing input to a website to ensure malicious scripts are not disguised as ordinary text or in other forms. Website code should also be thoroughly reviewed, with special attention paid to places where input can be converted into HTML Web page output.
Additionally, intrusion detection and prevention system “signatures” can and should be enabled (they are not always enabled by default), and the events generated by them should be monitored. Individual users can also protect themselves. For example, they can type Web URLs into their browser instead of simply clicking on links.
XSS is not going away anytime soon, but security threat awareness can help keep XSS attacks on a downward trend.