Cross Site Scripting (XSS) is one of the most popular and vulnerable attacks known to all advanced testers.
It is considered one of the riskiest attacks for web applications and can also have damaging consequences.
XSS is often compared to similar client-side attacks, as client-side languages are mainly used during this attack.
However, the XSS attack is considered more dangerous, due to its ability to damage even less vulnerable technologies.
Here we provide you with information about what the Cross Site Scripting attack consists of, a complete description of its types, tools, and preventive measures with perfect examples in simple terms for easy understanding.
What is Cross Site Scripting (XSS) & How It Works, Exactly?
The Cross Site Scripting attack is an injection of malicious code, which will be executed in the victim’s browser.
The malicious script can be saved on the webserver and run every time the user calls the appropriate functionality.
It can also be done with the other methods, without any script saved on the webserver.
The main objective of this attack is to steal the identity data of the other user: cookies, session tokens, and other information.
In most cases, this attack is being used to steal the other person’s cookies.
As we know, cookies help us to log in automatically. Therefore, with the stolen cookies, we can log in with the other identities. And this is one of the reasons why this attack is considered one of the most dangerous.
Malicious code is usually written with client-side programming languages like Javascript, HTML, VBScript, and Flash.
The main reason for this attack is inappropriate user input validation, where malicious input can enter-output. A malicious user can enter a script, which will be injected into the website code. So the browser cannot know if the executed code is malicious or not.
3 Different Types of Cross Site Scripting (XSS)
The main objective of carrying out an XSS attack is to steal someone else’s identity. As mentioned, it can be cookies, session tokens, etc. XSS can also be used to display forged pages or forms to the victim.
However, this attack can be carried out in several ways.
This attack is divided into three main categories as shown below:
- Mirrored XSS: This occurs when malicious results are returned after entering malicious code. Mirrored XSS code is not permanently saved. In this case, the malicious code is reflected in the result of any website. The attack code can be included in the fake URL or the HTTP parameters. It can affect the victim in different ways: by displaying a fake malicious page or by sending a malicious email.
- Stored XSS: This attack can be considered more dangerous as it does more damage. Here, the script code is saved on the webserver (for example, in the database) and runs every time users call the appropriate functionality. In this way, the stored XSS attack can affect many users. Also, as the script is stored on the webserver, it will affect the website for a longer time. To perform a stored XSS attack, the malicious script must be submitted via the vulnerable input form (for example, the comment field or review field). In this way, the script will be saved to the database and will be executed on page load or the appropriate function call.
- DOM: This type of attack occurs when the DOM environment is changed, but the client-side code does not change. When the DOM environment is modified in the victim’s browser, the client-side code executes differently. In this way, the DOM environment is affected. Of course, instead of this simple script, something more harmful can also be entered.
How to Test an XSS Attack? (Tools Included)
First of all, to test the XSS attack, black box tests can be performed.
It means that it can be tested without a code review.
However, code review is always a best practice and it also gives more reliable results.
If a good black-box testing technique is selected and performed accurately, this should be sufficient.
When starting testing, a tester should consider which parts of the website are vulnerable to possible XSS attacks.
It is better to list them in any test document and in this way we will be sure that nothing will be lost. The tester then needs to plan which code or script input fields to check.
It is important to remember, what the results mean, that the application is vulnerable, and analyzes the results thoroughly.
While testing a possible attack, it is important to check how written scripts are responded to and whether or not those scripts are executed.
Also, while performing a manual test for possible Cross-Site Scripting attacks, it is important to remember that hard-coded brackets should also be tested.
Some people try to protect websites and systems from various attacks by changing the brackets to double.
We must not forget to test the URL of the website. Also, if you are conducting a code review, it is important to find out how input can go into output.
Since the Cross Site Scripting attack is one of the most popular dangerous attacks, there are many tools to test it automatically.
We can find various scanners to check for possible XSS attack vulnerabilities, such as Nesus and Nikto. Both are considered quite reliable.
It is important to mention the SOAP UI tool. It can be considered as a fairly robust tool to check for possible XSS attacks. It contains ready-made templates to verify this attack.
It really simplifies the testing process. However, to test this vulnerability with the SOAP UI tool, the API level testing should already be automated with that tool.
Another solution for testing an XSS can be browser plugins. However, plugins are considered a rather weak tool to verify this type of attack. Even while testing automatically, the tester should have a good understanding of this type of attack and should be able to analyze the results properly.
How to Prevent Cross-Site Scripting in 2020
Although this type of attack is considered one of the most dangerous, a prevention plan must be prepared. Due to the popularity of this attack, there are many ways to prevent it.
The main commonly used prevention methods include:
- Data validation: Everything the user enters must be accurately validated because user input can find its way to output. Data validation can be named as the basis for ensuring system security. This only helps to reduce the risks, but may not be enough to prevent the possible XSS vulnerability.
- Filtering: The idea of filtering is to look for dangerous keywords in user input and remove or replace them with empty strings. Those keywords can be: <script> </script> Tags, Javascript Commands, and HTML Markup.
- Escape: In this practice, the appropriate characters are being changed by special codes. It is important to know that we can find appropriate libraries to escape characters.
Yes. All of it looks and sounds complicated.
It is.
But you don’t have to freeze or burn your head off by thinking about it.
Let a team of experts take care of it, so you can focus on what you do and enjoy best: taking care of your business.