Cross-site scripting (XSS) is a type of attack in which a user’s Web browser is tricked into regarding a “script,” or block of computer code, as coming from a trusted website when it has actually been slipped in from a malicious source. The malicious script can do anything from letting the attacker view paid content without payment to stealing innocent users’ personal identification or financial credentials.

XSS attacks pose a threat not only to individual users whose browsers are misled, but also to companies and other organizations whose websites may be infected, letting attackers steal confidential customer information. For companies, this can mean both direct costs and damaging blows to their reputation.

As with other security threats, there is no “magic bullet” to protect against XSS attacks. However, by adopting security precautions and carefully reviewing website code, firms can protect themselves and their customers against these types of attacks.

Cross-Site Scripting Attacks: Abusing Web Tools

As noted by Nikita Gupta in a recent IBM MSS research paper, the origin of XSS attacks goes back to the early days of the Web, when the JavaScript language was introduced in 1995. This language provided Web designers with many useful tools, but it also made XSS possible. Cybercriminals discovered that code scripts disguised as ordinary text could be slipped into a website, which would then execute the unintended — and often malicious — script.

Vulnerability to XSS is not limited to JavaScript, however; other widely used Web design tools can also be exploited to allow for XSS attacks.

Today, these attacks can take three basic forms. Reflected XSS, in which the malicious script comes from an external Web page, is the first iteration to which the name “cross-site scripting” was applied. It is also called nonpersistent XSS.

However, the malicious script can also be stored in a server or database, in which case it is executed every time the page is displayed. Therefore, stored XSS is persistent. Finally, Document Object Model (DOM) scripting is done by modifying the DOM environment of the end-user victim’s browser, bypassing the Web server.

Current Trends in XSS

The peak incidence of reported XSS attacks was in 2013. The trend last year significantly plummeted as companies beefed up their defenses, and 2014 saw the lowest level of XSS activity since 2011. It remains to be seen what 2015 will bring, but vulnerability to XSS remains widespread.

According to the Hosted Application Scanning Management team at IBM, 17 percent of some 900 dynamic Web application scans showed a vulnerability to XSS. However, this data came from organizations with the most robust and mature security practices. A study by White Hat Security finds that nearly half of all sites (47.9 percent) are vulnerable to XSS attacks.

Guarding Against XSS Attacks

The first line of defense against XSS is sanitizing input to a website to ensure malicious scripts are not disguised as ordinary text or in other forms. Website code should also be thoroughly reviewed, with special attention paid to places where input can be converted into HTML Web page output.

Additionally, intrusion detection and prevention system “signatures” can and should be enabled (they are not always enabled by default), and the events generated by them should be monitored. Individual users can also protect themselves. For example, they can type Web URLs into their browser instead of simply clicking on links.

XSS is not going away anytime soon, but security threat awareness can help keep XSS attacks on a downward trend.

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…