Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
In this article, we will talk about one of the most common methods of attacking websites - cross-site scripting (XSS). This is a technology that allows attackers to upload malicious scripts to trusted resources and use them to redirect traffic to third-party sites or steal data.
Contents
1. What is XSS
2. How it works
3. How an XSS attack can threaten a business
4. XSS and advertising
5. Real-life examples of cross-site scripting
6. Types of XSS attacks
6.1. Stored (Persistent) Cross-Site Scripting Attacks
6.2. Reflected XSS attacks
6.3 DOM-based XSS attacks
7. How to protect your website from XSS injections
7.1 Manual code reviews and penetration testing
7.2 Filtering user input data
7.3. Shielding methods
7.4. Self-implementation of the code
7.5. Adhere to CSP policies
7.6. Check advertising traffic and use blacklists for sites
The name of the technology comes from early versions of this method, when cybercriminals specialized in stealing cross-site data. The modern version is a type of injection attack, that is, the introduction of a malicious piece of code.
Fraudsters inject a malicious script – often JavaScript – into a hacked website or application, which is transferred to the browser of the user who visited the resource. In this way, the attacker gains access to the user’s cookies, can track their behavior, load fake or external content, and steal confidential data. For example, fraudsters can inject scripts into a website through the comment box.
— Code implementation
First, the attacker must find a way to inject malicious code into a website or application. This is usually done using JavaScript. Fraudsters can also use HTML or any other markup language.
For this step to be possible, the attacked site must have the ability for the user to enter data: a search bar, a field for entering comments, an authorization form.
For example, it can be assumed that user comments are generated as plain text and embedded directly into the site code. In this case, a cybercriminal can send a comment containing malicious JavaScript or HTML and thus change the executable code of the site.
— Execution of code by the user's browser
The second stage of an XSS attack exploits the browser's inability to distinguish a malicious script from the original site markup, causing it to execute it.
This way, an attacker can use the script to perform various attacks, such as reading data from local storage, accessing cookies, including stealing personal information, phishing, or distributing malware.
A basic XSS exploit may not go beyond stealing cookies, but it still constitutes identity theft and a serious breach of privacy laws in some countries. And since the theft is happening on a third-party website, the website owner is held liable. If the data in question is sensitive, such as medical records or banking transactions, the consequences can be even more serious.
Attackers can use stolen cookies to drive invalid traffic to websites and ads, as well as to reinforce bot profiles to pass them off as real users.
The entire supply chain of the digital advertising industry is at risk from cyber groups that specialize in XSS attacks. Here is a short list of actors that could be affected by cross-site scripting:
Such attacks also undermine the trust of all participants in the chain.
Hackers from the Magecart group used cross-site scripting to hack the website of online computer and electronics retailer Newegg. They injected malicious JavaScript into the secure.newegg.com checkout page, using this script to steal customer payment information.
They then sent this data to the domain neweggstats.com, which belonged to cybercriminals. The stealth nature of the attack allowed the attackers to steal data from unsuspecting users for more than a month. During this time, they were able to steal data from thousands of customers.
Not only do these types of attacks result in regulatory fines and threats of legal action, they can also have disastrous consequences for a company's reputation and customer trust.
— Magecart and British Airways
Another XSS attack attempt occurred in 2018. Then, British Airways was attacked by the already known hacker group Magecart. The attackers used an XSS vulnerability in the Feedify JavaScript library, which was used on the company's official website.
The attackers modified the script to send customer data to a malicious server that used a domain name similar to British Airways. The fake server had an SSL certificate, so users believed they were making a purchase on the official site.
The fraudsters were able to skim credit cards on 380,000 booking transactions before British Airways' cybersecurity team discovered the breach.
— eBay
In late 2015 and early 2016, a serious XSS vulnerability was discovered on eBay. The site used a url parameter that redirected users to different pages on the platform, but did not validate the value of the parameter.
This allowed attackers to inject malicious code into the page and gain full access to sellers' eBay accounts, sell items at a discount, and steal payment details. They used it extensively to manipulate eBay's catalog of high-value items, such as vehicles. The marketplace eventually fixed the vulnerability, but subsequent attacks continued into 2017.
Because this technique persists after the attacker's initial action, persistent XSS attacks are the most common form of cross-site scripting.
Hidden XSS vulnerabilities are a type of stored XSS attack that occur when the attacker's input is stored by the server but executed elsewhere, either internally or in another application altogether. For example, if an attacker injects malicious code into contact forms, the script will be executed as soon as the application administrator opens the form.
Although a reflected attack does not require the attacker to find a site with an XSS vulnerability, it will not work unless users click the link. Therefore, it has a lower success rate than persistent attacks.
In particular, you need to look at how user input is handled, such as in a comment box or in the login field of an authorization form, and ensure that it is handled correctly. Any HTML output that includes user input should be encoded, as should URLs. It is also important to validate and encode user input in URLs to prevent broken links and system vulnerabilities.
Writing code to escape user input is a labor-intensive process, so it is recommended to use existing libraries such as OWASP ESAPI or Microsoft AntiXSS.
This method can limit the execution of embedded and remote scripts, unsafe JavaScript, and form submissions. However, this method is not the only defense against XSS attacks and does not replace secure development.
For example, one of such tools is Yandex Direct Protection from the Botfaqtor cybersecurity service. We receive data on visits in real time and analyze them by hundreds of parameters, including assessing the quality of traffic sources and enabling advertisers to send sites with a bad reputation to the blacklist.
Don't pay for fake advertising traffic. Save your budget with Botfaqtor cyber protection tools. Yandex Direct protection detects and blocks up to 90% of bots, checks the quality of traffic sources, analyzes key queries and UTM tags.
Protect your ads from invalid traffic. Bring only targeted customers and save your budget - let it work for your business, and not flow into the pockets of scammers.
Contents
1. What is XSS
2. How it works
3. How an XSS attack can threaten a business
4. XSS and advertising
5. Real-life examples of cross-site scripting
6. Types of XSS attacks
6.1. Stored (Persistent) Cross-Site Scripting Attacks
6.2. Reflected XSS attacks
6.3 DOM-based XSS attacks
7. How to protect your website from XSS injections
7.1 Manual code reviews and penetration testing
7.2 Filtering user input data
7.3. Shielding methods
7.4. Self-implementation of the code
7.5. Adhere to CSP policies
7.6. Check advertising traffic and use blacklists for sites
What is XSS
Cross-site scripting (X-site scripting) is one of the most well-known and widely used attack technologies on websites and applications. Attackers find vulnerabilities on a website and distribute malicious scripts through them. In this case, the target is usually not the website itself, but the end user.The name of the technology comes from early versions of this method, when cybercriminals specialized in stealing cross-site data. The modern version is a type of injection attack, that is, the introduction of a malicious piece of code.
Fraudsters inject a malicious script – often JavaScript – into a hacked website or application, which is transferred to the browser of the user who visited the resource. In this way, the attacker gains access to the user’s cookies, can track their behavior, load fake or external content, and steal confidential data. For example, fraudsters can inject scripts into a website through the comment box.
How does this work
Cross-site scripting attacks are carried out in two stages:— Code implementation
First, the attacker must find a way to inject malicious code into a website or application. This is usually done using JavaScript. Fraudsters can also use HTML or any other markup language.
For this step to be possible, the attacked site must have the ability for the user to enter data: a search bar, a field for entering comments, an authorization form.
For example, it can be assumed that user comments are generated as plain text and embedded directly into the site code. In this case, a cybercriminal can send a comment containing malicious JavaScript or HTML and thus change the executable code of the site.
— Execution of code by the user's browser
The second stage of an XSS attack exploits the browser's inability to distinguish a malicious script from the original site markup, causing it to execute it.
This way, an attacker can use the script to perform various attacks, such as reading data from local storage, accessing cookies, including stealing personal information, phishing, or distributing malware.
How XSS attacks can threaten business
Cross-site scripting attacks are so common that they have remained in the top 10 of OWASP (an open source web application security project created and maintained by a non-profit organization) since their inception.A basic XSS exploit may not go beyond stealing cookies, but it still constitutes identity theft and a serious breach of privacy laws in some countries. And since the theft is happening on a third-party website, the website owner is held liable. If the data in question is sensitive, such as medical records or banking transactions, the consequences can be even more serious.
Attackers can use stolen cookies to drive invalid traffic to websites and ads, as well as to reinforce bot profiles to pass them off as real users.
XSS and advertising
In advertising and SEO, XSS attacks are used to hack websites and place backlinks on them, redirect visitors, create doorways, etc. As a rule, all vulnerabilities are monetized by redirecting visitors to affiliate program websites.The entire supply chain of the digital advertising industry is at risk from cyber groups that specialize in XSS attacks. Here is a short list of actors that could be affected by cross-site scripting:
- Publishers (webmasters) whose sites are hacked.
- Advertising platforms with their media networks compromised by malicious attacks.
- Advertisers who lose money on invalid clicks and other malicious traffic.
Such attacks also undermine the trust of all participants in the chain.
Real-life examples of cross-site scripting
— Magecart and NeweggHackers from the Magecart group used cross-site scripting to hack the website of online computer and electronics retailer Newegg. They injected malicious JavaScript into the secure.newegg.com checkout page, using this script to steal customer payment information.
They then sent this data to the domain neweggstats.com, which belonged to cybercriminals. The stealth nature of the attack allowed the attackers to steal data from unsuspecting users for more than a month. During this time, they were able to steal data from thousands of customers.
Not only do these types of attacks result in regulatory fines and threats of legal action, they can also have disastrous consequences for a company's reputation and customer trust.
— Magecart and British Airways
Another XSS attack attempt occurred in 2018. Then, British Airways was attacked by the already known hacker group Magecart. The attackers used an XSS vulnerability in the Feedify JavaScript library, which was used on the company's official website.
The attackers modified the script to send customer data to a malicious server that used a domain name similar to British Airways. The fake server had an SSL certificate, so users believed they were making a purchase on the official site.
The fraudsters were able to skim credit cards on 380,000 booking transactions before British Airways' cybersecurity team discovered the breach.
— eBay
In late 2015 and early 2016, a serious XSS vulnerability was discovered on eBay. The site used a url parameter that redirected users to different pages on the platform, but did not validate the value of the parameter.
This allowed attackers to inject malicious code into the page and gain full access to sellers' eBay accounts, sell items at a discount, and steal payment details. They used it extensively to manipulate eBay's catalog of high-value items, such as vehicles. The marketplace eventually fixed the vulnerability, but subsequent attacks continued into 2017.
Types of XSS attacks
There are two main types of cross-site scripting: data persistence attacks and reflection attacks, as well as a third, less common variety called DOM-based attacks.Stored (persistent) cross-site scripting attacks
In persistent XSS attacks, attackers inject a malicious script or payload into an application or website so that it is permanently stored on the server. This way, the malicious code will be injected into all future users.Because this technique persists after the attacker's initial action, persistent XSS attacks are the most common form of cross-site scripting.
Hidden XSS vulnerabilities are a type of stored XSS attack that occur when the attacker's input is stored by the server but executed elsewhere, either internally or in another application altogether. For example, if an attacker injects malicious code into contact forms, the script will be executed as soon as the application administrator opens the form.
Reflected XSS attacks
Reflected cross-site scripting attacks, or non-persistent XSS attacks, occur when malicious script is reflected from an application or site into the user's browser. This is typically done via a malicious link placed on a third-party resource, such as a comment section, that initiates an XSS request to the vulnerable site to redirect the attack to the user.Although a reflected attack does not require the attacker to find a site with an XSS vulnerability, it will not work unless users click the link. Therefore, it has a lower success rate than persistent attacks.
DOM-based XSS attacks
DOM-based or client-side cross-site scripting is an attack in which an attacker modifies the DOM environment in the victim's browser to execute a payload.How to protect your website from XSS injections
XSS vulnerabilities are one of the most common application vulnerabilities. Fortunately, it is easy to determine whether a site is vulnerable to XSS attacks. Here are some things you can do to protect your site from cross-site scripting.Manual code reviews and penetration testing (pentesting)
When creating applications or websites, code review is always required. It is advisable to manually audit the source code to identify security vulnerabilities and perform a pentest to identify potential issues.In particular, you need to look at how user input is handled, such as in a comment box or in the login field of an authorization form, and ensure that it is handled correctly. Any HTML output that includes user input should be encoded, as should URLs. It is also important to validate and encode user input in URLs to prevent broken links and system vulnerabilities.
Filtering user input
A simple way to reduce the likelihood of XSS attacks is to "sanitize" all user-entered text and remove dangerous tags and attributes such as <script>, <body>, <html>, etc. However, it is not recommended to rely on filtering as the only method of protecting against cross-site scripting, as sophisticated attackers can use techniques such as hex encoding and Unicode character variations to bypass filters.Shielding methods
Another popular method of protecting against cross-site scripting is to use escaping techniques, which signal the browser that data should not be interpreted as code. This way, even if an attacker is able to inject a script into a page on your site, the malicious code will not be executed. Escaping techniques vary across languages, such as HTML, JavaScript, and CSS, and should be implemented for each one used on your site.Writing code to escape user input is a labor-intensive process, so it is recommended to use existing libraries such as OWASP ESAPI or Microsoft AntiXSS.
Self-implementation of the code
If you suspect an XSS vulnerability on your site, check it manually by running a harmless script. Find out if your browser executes it. The alert() function is good for this purpose.Adhere to CSP policies
CSP can also protect against XSS attacks. Content Security Policy (CSP) is a security standard for web developers. It limits the list of sources from which scripts and design elements can be loaded when a site is opened in a browser. Using the HTTP response header, you can control the loading of content on the page depending on the source of the request.This method can limit the execution of embedded and remote scripts, unsafe JavaScript, and form submissions. However, this method is not the only defense against XSS attacks and does not replace secure development.
Check your ad traffic and use blacklists for sites
Speaking about advertising, the advertiser should analyze the quality of advertising traffic sources. This can be done with the help of special anti-fraud systems that analyze not only visitors who clicked on the ad, but also the quality of the sites in YAN and KMS.For example, one of such tools is Yandex Direct Protection from the Botfaqtor cybersecurity service. We receive data on visits in real time and analyze them by hundreds of parameters, including assessing the quality of traffic sources and enabling advertisers to send sites with a bad reputation to the blacklist.
Don't pay for fake advertising traffic. Save your budget with Botfaqtor cyber protection tools. Yandex Direct protection detects and blocks up to 90% of bots, checks the quality of traffic sources, analyzes key queries and UTM tags.
Protect your ads from invalid traffic. Bring only targeted customers and save your budget - let it work for your business, and not flow into the pockets of scammers.
