Cross Site Scripting (XSS) Attack Types & PreventionVishnu Yash Tripathi
Cross Site Scripting(XSS) is the popular and vulnerable attack which is known by every advanced tester. It is considered as one of the adventurous attacks for web applications and can bring harmful results also. This attack is considered adventurous, because of its ability to damage even less vulnerable technologies.
How XSS Being Performed :
Common cause of XSS :
- Cross Site Scripting can occur at client side by executing malicious script.
- Fake page or form or advertisement displayed to the users (where the victim type credentials or clicks a malicious link).
- Malicious emails sent to the victim with malicious link.
If the below search field is vulnerable then user can enter any script and it will be executed.
For example consider user enters very simple script as shown below:
As in this Example, the script typed into the search field gets executed. This just shows the
vulnerability of the XSS attack. However, a more harmful script may be typed as well.
Types of Cross-Site Scripting Attacks :
This attack is divided into three main categories which are shown below:
1) Reflected XSS – This attack occurs when malicious scripts are not being saved on the web server but reflected in the website’s results.
2) Stored XSS – This attack occurs when malicious scripts are being saved on the web server permanently.
3) DOM – This occurs, when the DOM environment is being changed without any actual change in DOM itself.
How to Test Against XSS :
In order to test against XSS attack, black box testing can be performed. That means it can be tested without a code review. However, code review is always a recommended practice and it brings up more credible results. From our testing experience, We would like to add that if a good black box testing technique is selected and performed accurately, then we will also be able to identify maximum vulnerabilities.
For Example, a tester may try to type in the browser script
If this script is being executed, then there is a huge possibility that means XSS is possible. Also while testing manually for possible Cross-Site Scripting attacks, it is important to remember, that encoded brackets should also be tried.
XSS Testing Tools :
As Cross Site Scripting attack is one of the most popular risky attacks, there are many tools to test it automatically. We can find various scanners to check for possible XSS attack vulnerabilities – like, Nessus and Nikto. Both of which are considered quite reliable.
From our experience, we would like to recommend ZAP (Zed Attack Proxy) tool.
Comparison with Other Attacks :
Another thing that makes this attack risky is the possibility to be stored in the web service – this way it can affect many users for a longer period of time. XSS sometimes can be performed to even less vulnerable system and its vulnerabilities are sometimes difficult to be found.
Ways to Prevent XSS :
Though such type of attack is considered to be one of the most dangerous and risky one, so preventing plan should be prepared. Because of the popularity of this attack, there are many ways to prevent it.
Commonly used below prevention methods include:
- Data validation
XSS Cheat Sheets
XSS Cheat Sheets can be very useful for cross-site scripting prevention. It is a simple guideline for the developers on how to prevent XSS attacks. The rules are very helpful and should not be forgotten while developing the application. XSS Cheat Sheets can be found in internet communities such as OWASP (The Open Web Application Security Project).
While testing, it is highly recommended to evaluate the risks that bring up possible XSS attacks. XSS attack can affect many web applications that seem to be secure as well. While performing test against XSS, it is important to have good understanding about this attack. It is important to choose the appropriate testing tool and to analyze testing results correctly.