Cross site scripting. How to lose your account with one click

25 february 2023, 00:52 News 0

Rating:
(0 / 5)

Cross-site scripting is an application security vulnerability that allows a hacker to inject malicious code into a website or mobile application.

image
XSS ( Cross Site Scripting, XSS ) attacks occur when an attacker enters a piece of code as input. The malicious code is interpreted as DOM markup (gives the browser access to the content of the HTML page) and runs in the victim's browser. By running their code in the victim's browser, a cybercriminal can gain access to sensitive data, as well as bypass the Same-origin policy.

Types of XSS attacks
Stored (persistent) XSS ( Stored XSS )

The malicious script is injected into the vulnerable application, where it is stored or stored on the vulnerable application page. When the victim loads the infected page in the application, the malicious script executes the user's session context. Here is an example of persistent XSS in the Elementor Page Builder tool.

The hacker injected malicious JavaScript into the site. Clicking on image triggers XSS payload

Reflected XSS _

An attacker tricks a victim into clicking a malicious link in a vulnerable application. In this scenario, reflected scripts are injected into the user's browser session and executed as a direct reflection in the HTTP responses returned by the server.

The attacker has injected XSS into the working URL, and the injection is returned to the victim's browser where the payload is executed.

DOM - based XSS

DOM-based XSS also includes a malicious link and can be injected into the victim's browser via the same attack vector as reflected XSS, but DOM-based XSS does not require interaction with the server. Malicious code is stored and executed in the browser.

The cybercriminal embeds a malicious script in the URL, when connected to this page, the victim's browser parses the HTML page, reaches the script and runs it, extracting the malicious JavaScript. Thus, server-side code protection will not protect against DOM-based XSS attacks. The independence of the attack from the server also complicates its detection.

What can an attacker do in an XSS attack?
By injecting code into the victim's browser, a cybercriminal can:

Steal sensitive user information - login credentials, credit card information and other personal data;
Intercept the user's session (if your application allows JavaScript to read HTTP session information);
Send and receive data from a malicious web server;
Access the user's webcam, microphone, and location through the HTML 5 API or other known browser vulnerabilities;
Use advanced phishing methods that will be difficult to identify not only for an ordinary user, but even for a specialist.
Protection against XSS attacks
Secure the framework

Fewer XSS errors appear in applications built using modern web frameworks that have improved security features and help mitigate XSS attacks using templating, auto-escaping, etc. You need to understand how the framework prevents XSS attacks and where there may be vulnerable areas in it.

Achieve perfect injection resistance

For a successful XSS attack, a cybercriminal needs to inject and execute malicious content on a website. Therefore, every variable in a web application must be protected. The guarantee that all variables pass validation and are then escaped or cleared is called perfect injection resistance . Any variable that does not go through this process is a potential vulnerability. Frameworks allow you to achieve perfect stability, in which all variables are checked, escaped or cleared.

However, even popular frameworks like React and Angular have security gaps. Output encoding and HTML sanitization help to address these shortcomings.

Use Output Encoding _

Use your platform's default output encoding if you want to display data as the user enters it. Automatic encoding and escaping features are built into most platforms.

If you are not using a framework, or need to close security gaps in a framework, then you should use an output encoding library. Every variable used in the user interface must be passed through an output encoding function. A list of output encoding libraries is included in the application.

There are many different output encoding methods because browsers parse HTML, JS, URLs, and CSS differently. Using the wrong method can lead to vulnerabilities or degrade the functionality of your application.

Perform HTML cleanup

Sometimes users need to generate HTML. You can give clients the ability to change the style or structure of content in a WYSIWYG editor. Encoding the output here will prevent an XSS attack, but it will break the app's functionality and the styles won't render. In these cases, HTML scraping should be used.

No comments yet

The Advantages of DBMS Audit for Data Integrity and Security | Softogroup

The Role of DBMS Technical Support in Ensuring Smooth Database Operations | Softogroup

The Importance of Markup in Web Development | Softogroup

The Power of IT Technical Consulting for Your Startup | Softogroup

Empowering Startups with Custom Software Development Solutions | Softogroup

Revamping Your Legacy Software Applications for Optimal Performance | Softogroup

Unleashing the Power of Web Development for Your Business | Softogroup

Elevating User Experiences with Mobile Application Development Services | Softogroup

Revolutionizing Business Operations with Custom Software Development | Softogroup

Empowering Businesses with Custom Software Development | Softogroup

IT Staffing in Serbia | Softogroup

IT Outsourcing Services | Softogroup

DBMS Migration Services | Softogroup

DBMS Audit Services | Softogroup

DBMS Technical Support | Softogroup

Markup Services | Softogroup

IT Technical Consultant for Your Startup | Softogroup

Software Development for Startups | Softogroup

Updating Legacy Software Applications | Softogroup

Software Development for Small and Medium Businesses | Softogroup

Web Development Services | Softogroup

Mobile Application Development Services

Mobile Application Development Services | Softogroup

Empowering Your Business with Custom Software Development Services

Integrated IT Solutions for Business and Security

Decentralized VPNs or Tor? What is the difference and what to choose?

Web Application Pentesting: Stages, Methods, and Impact on Cybersecurity

ChatGPT Reveals 5,000 Most Dangerous Files With Which You Can Easily Hack Websites

Digital self-harm: what is it and how to stop destroying yourself?

What is open source?

How to clean up the site and increase its performance

What is CORS and how does it help you avoid having your money stolen?

Performing a Silver Ticket attack in a Kerberos session

Cyber attacks on the site. What is it and how to protect yourself from them?

How to clean up files and keep information accessible. Experience of the biotechnology company "Vector-Best"

As if smeared with honey: what is a Honeypot and how to catch a hacker "on live bait"

What is a proxy server? How it works?

The main types of cyber attacks and how to deal with them

We tell about RDP for those who hid in the bunker during the pandemic

What is Software Composition Analysis (SCA) and what is it eaten with?

Network anomalies. What is it and how to identify them?

We analyze the best practices for managing network infrastructure

Teenage smartphone addiction: causes, consequences and treatment