What is Cross-site Scripting (XSS)? Why XSS is a Threat, how does XSS Work? Different Types of XSS Attacks

Part one of our two-part series on Cross-site scripting (XSS) explains what are XSS attacks. We also take a close look on how XSS exploits work (urls, cookies, web cache etc.) and analyze their impact on business websites – webservers, using real examples of popular sites that were hit using different XSS exploits. We also talk about the different type of XSS attacks that make website users very difficult to identify and detect them. Part-two will provide a Cross-site scripting attack example, talk about the different type of XSS vulnerabilities and explain how to identify XSS vulnerabilities in your web applications & web servers.

Part two analyzes XSS attacks, showing how easy it is to create a XSS script, and provides useful information on how to identify XSS vulnerabilities.

Websites operate typically with two sides to them: the backend and frontend. On the backend, there are the familiar layers of systems that generate the elements for the frontend – the web application service, language renderer (e.g. PHP or Python), database, and so forth. These areas are commonly the ones most focused on when it comes to securing a website, and rightfully so. Some of the most damaging hacks in history were a result of successful attacks on the backend systems. But the frontend, where things like HTML, CSS, and most especially JavaScript exist – is equally susceptible to attack, with considerable fallout as well.

Cross-site scripting, which is more commonly known as XSS, focuses the attack against the user of the website more than the website itself. These attacks utilize the user's browser by having their client execute rogue frontend code that has not been validated or sanitized by the website. The attacker leverages the user to complete their attack, with the user often being the intended victim (such as by injecting code to infect their computer). The user loads a trusted website, the rogue script is injected somehow, and when the page is rendered by their browser that rogue script is executed. With more websites performing their actions as browser-rendered code instead of in Flash or with static pages, it is easy to see why XSS can be a significant threat.

Why Is XSS A Threat & How Does It Work?

An XSS attack can actually be quite dangerous for users of a website, and not just because of the possible trust lost from its customers. When a user accesses a website, often much of its content is hidden behind some form of authentication – like how Facebook is practically useless unless you have an account. That authentication not only hides privileged information, but also provides access to the account itself (social media information, ability to make purchases, etc.). Some of the information required for that authentication is stored on the user's computer, namely in the form of cookies. If a user's cookies can be compromised via an injected XSS exploit, their account can be hijacked as well.

This can have huge ramifications, especially on larger Content Management System (CMS) platforms and even social media websites. The software project management service, JIRA, found itself the target of an XSS exploit that affected large software companies such as the Apache foundation. This caused administrator accounts to become compromised, which could have led to a cascade effect of further data compromise, company secrets, proprietary software, etc. In fact, if you were ever a user of MySpace (remember that website?), you probably heard of the most infamous XSS exploit: the JS.Spacehero worm, also known as the MySpace Samy worm. These attacks not only caused serious problems with account compromises, but considerable financial loss as well. Even though the Samy worm was basically harmless, it caused an exponential spread in less than a day that forced MySpace to take itself offline for several hours, reportedly costing them over $1 million USD in revenue.

Different Types Of XSS Attacks

XSS exploits can take a number of forms, which makes them very difficult for website users to detect. An innocuous short-URL link (like TinyURL or Bitly) to a website, a forum signature image, a modified website address, even something completely hidden from view (e.g. obfuscation, where it is written in an intentionally confusing, illegible manner) – any of these and more can be used to accomplish an XSS exploit. In fact, if a user's browser can load it (such as an image) or execute it (such as code), there exists opportunity for an XSS exploit.