January 19, 2015 By Rick M Robinson 2 min read

Cross-site scripting (XSS) is a type of attack in which a user’s Web browser is tricked into regarding a “script,” or block of computer code, as coming from a trusted website when it has actually been slipped in from a malicious source. The malicious script can do anything from letting the attacker view paid content without payment to stealing innocent users’ personal identification or financial credentials.

XSS attacks pose a threat not only to individual users whose browsers are misled, but also to companies and other organizations whose websites may be infected, letting attackers steal confidential customer information. For companies, this can mean both direct costs and damaging blows to their reputation.

As with other security threats, there is no “magic bullet” to protect against XSS attacks. However, by adopting security precautions and carefully reviewing website code, firms can protect themselves and their customers against these types of attacks.

Cross-Site Scripting Attacks: Abusing Web Tools

As noted by Nikita Gupta in a recent IBM MSS research paper, the origin of XSS attacks goes back to the early days of the Web, when the JavaScript language was introduced in 1995. This language provided Web designers with many useful tools, but it also made XSS possible. Cybercriminals discovered that code scripts disguised as ordinary text could be slipped into a website, which would then execute the unintended — and often malicious — script.

Vulnerability to XSS is not limited to JavaScript, however; other widely used Web design tools can also be exploited to allow for XSS attacks.

Today, these attacks can take three basic forms. Reflected XSS, in which the malicious script comes from an external Web page, is the first iteration to which the name “cross-site scripting” was applied. It is also called nonpersistent XSS.

However, the malicious script can also be stored in a server or database, in which case it is executed every time the page is displayed. Therefore, stored XSS is persistent. Finally, Document Object Model (DOM) scripting is done by modifying the DOM environment of the end-user victim’s browser, bypassing the Web server.

Current Trends in XSS

The peak incidence of reported XSS attacks was in 2013. The trend last year significantly plummeted as companies beefed up their defenses, and 2014 saw the lowest level of XSS activity since 2011. It remains to be seen what 2015 will bring, but vulnerability to XSS remains widespread.

According to the Hosted Application Scanning Management team at IBM, 17 percent of some 900 dynamic Web application scans showed a vulnerability to XSS. However, this data came from organizations with the most robust and mature security practices. A study by White Hat Security finds that nearly half of all sites (47.9 percent) are vulnerable to XSS attacks.

Guarding Against XSS Attacks

The first line of defense against XSS is sanitizing input to a website to ensure malicious scripts are not disguised as ordinary text or in other forms. Website code should also be thoroughly reviewed, with special attention paid to places where input can be converted into HTML Web page output.

Additionally, intrusion detection and prevention system “signatures” can and should be enabled (they are not always enabled by default), and the events generated by them should be monitored. Individual users can also protect themselves. For example, they can type Web URLs into their browser instead of simply clicking on links.

XSS is not going away anytime soon, but security threat awareness can help keep XSS attacks on a downward trend.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today