23/10/2022

What is Cross-Site Scripting (XSS)? | Explanation of attack mechanism and countermeasures

Cross-site scripting (XSS) is one of the most popular attacks in recent years. Website operators are required to take countermeasures against XSS vulnerabilities, as attacks can be carried out relatively easily if the attacker has some knowledge. In this article, we will explain the overview of cross-site scripting (XSS), its techniques, and countermeasures.

What is cross-site scripting (XSS)?

Cross-site scripting (XSS) is an attack that uses vulnerabilities in websites to embed malicious scripts in HTML.

Sites that generate web pages based on user input, such as survey sites, site searches, blogs, bulletin boards, and web applications such as Facebook and Twitter, are prone to cross-site scripting if no proper XSS countermeasures are taken. When a user enters or submits information on a form placed on the site, the embedded malicious HTML script is executed, and in addition to the entered information, cookie information is also sent to the attacker.

Cross-site scripting (XSS) attack flow and mechanism

Cross-site scripting (XSS) attacks mainly consist of the following three steps.

  1. Attackers enter content, including links with scripts, into input forms to set traps in web applications (e.g. bulletin board sites).
  2. The victim uses the corresponding web application
  3. When a link is clicked and a script is executed, it transits (crosses) to another website and executes malicious content (the script)

As a result, malicious web pages will be displayed, to the victim machine will be infected with malware, etc. For example, you need to be careful when unfamiliar pop-up modals or input forms are displayed.

These are designed to prompt the user to enter important information such as personal information and then steal the entered information, and the user may suffer damage such as the leakage of personal information or malware infection.

In order to avoid becoming a victim, one of the countermeasures is to pay attention to the displayed content even if it is a web application that you use regularly and not to click or enter information carelessly.

Difference between XSS and Cross Site Request Forgery (CSRF)

Cross-site scripting (XSS) countermeasures

There are three effective countermeasures against cross-site scripting (XSS).

Keep in mind that these measures alone will not completely prevent cross-site scripting attacks. It is important to implement multi-layered defense by introducing all measures, not just one, to further increase the security of web applications.

Countermeasure #1: Santizing inputs:

A cross-site scripting (XSS) attack is an attack that injects executable code into web application forms to perform malicious operations in the web application user's environment. It is effective to implement sanitization of scripts to prevent this code from being executed.

For example, if content containing the strings <script> through %lt;/script%gt; is posted to be embedded in a non-sanitized web application, JavaScript or other scripts will be executed when a button or link displayed as the posted content is clicked.

Therefore, focusing on escaping (encoding) the 5 special characters &, <, %gt;, ”, ' that are necessary for script execution will make the script inexecutable and it will be displayed as string on the screen, and render the script harmless (sanitization). By doing this substitution, even if a script is entered, the screen of the web application will display the source of the script and not what the attacker intended.

Countermeasure #2: Limiting input values:

Restricting the values that users can enter is another countermeasure against cross-site scripting (XSS).

For example, when entering a postal code, disallowing non-numeric entries prevents script insertion.

Also, even if the character type cannot be restricted, setting a restriction on the length of the input value makes it possible to suppress the insertion of scripts that allow attacks to some extent.

Countermeasure #3: Using WAF (Web Application Firewall)

Both of the above-mentioned two countermeasures are performed at the stage of Web application creation.

However, even the most meticulously crafted web applications can be vulnerable to cross-site scripting attacks.

In order to prepare for an emergency, it is recommended to use a WAF (Web Application Firewall). Even if a cross-site scripting attack is possible due to absence of the input content check of the web application, it is possible to prevent the attack by introducing a WAF.

This is because WAF monitors the content of requests sent by users. WAF is an abbreviation for Web Application Firewall, and is a tool that protects web applications, including websites, from cyberattacks. It sits in front of the web server and inspects and analyzes all communications to your web applications. Then, when it detects that there is an unauthorized attack from an attacker, it will act to block that communication.

No comments:

Post a Comment

MySQL vs PostgreSQL

What is Mysql? MySQL is the world's most popular DBMS - it is used by 39% of developers in 2019. MySQL is a fast, reliable and versa...