Cross-site scripting or XSS is considered to be among the most dangerous threat for web applications. Researchers have found that XSS even attached itself to some of the most popular web platforms including Facebook, Google, PayPal, Amazon and several others. For someone conversant about the “bug bounty” program, they would know that most errors are related to XSS Attacks.
Browsers are constantly being updated with filters to prevent the attacks but XSS somehow has always been able to find a loophole. This tool is commonly used by hackers looking to spreading malware, cookie stealing, malicious redirections and hijacking sessions. Hackers will inject a malicious JavaScript code into the web platform such that the browser executed the command. The interesting part with XSS is that it is easy to detect but difficult to patch.
XSS attack explained
An obvious question in the minds of readers would be why the threat is called XSS rather than CSS. Well, it’s just about not confusing it with cascading style sheet. Moving on, an XSS error is injected anywhere in an application where the original syntax hasn’t been carefully encoded. In case, the input isn’t properly sanitized and encoded, users will operate upon the malicious program instead of the original script. Browsers have no idea whether they should treat their alien script as a part of the program or now and given the benefit of doubt.
Example:
Search boxes are common to most websites. The coded form should look like:
<form action=”search.php” method=”get”>
<input type=”text” name=”q” value=”” />
<input type=”submit” value=”send” />
</form>
The search.php page from which the query draws the results also lists the “keywords” and the “search results”. The web page will be coded like:
<h3>You Searched for: <!--?php echo($_GET['q']) ?-->
Whatever may be the search query, it will be displayed alongside the search results in the webpage. Now, what is a hacker injects this:
“><script>alert(‘XSS injection’)</script>
The browser doesn’t get any implication of encoded input or filter malicious scripts. So, it will print whatever it is called for. The result would be:
<h3> You Searched for: “><script>alert(‘XSS injection’)</script>
The above command will be executed with a message stating “XSS Injection”.
Preventing XSS Attacks
To avoid becoming a victim of XSS Attack, it is important that web applications are developed using special security development lifecycles or SDLs. The aim should be to reduce the chances of coding errors and security related design errors. SDLs will also minimize the severity of undetected XSS Attacks. Several open source libraries too exist to support the cause and include:
- PHP AntiXSS: IT helps adding an extra layer of protection to guard against XSS vulnerabilities. PHP AntiXSS will automatically detect encoding data and filter the same.
- xss_clean.php filter: A powerful filter, it is used by developers to clean nested exploits and URF encodings.
- HTML Purifier: A standard HTML filtering library, HTML Purifier would remove malicious coding from inputs and prevent XSS attacks. It is easily available as a plugin for PHP frameworks
In the end, it depends on the developer whether he/she is able to come up with a secure development life cycle. For businesses, XSS will damage the brand’s reputation and customer base. Regular scrutiny keeps the chances down.