How to Safeguard Against Cross-Site Scripting (XSS) Attacks

January 9th, 2020
Cross-Site Scripting XSS

When hackers were asked about their favorite attack vector in 2019, the most popular response was cross-site scripting (XSS). While XSS is not a new method of attack, it has grown rapidly in visibility and impact in recent years.

As web applications become more data-centric and client-heavy, it’s more important than ever to protect them against attack.

What is XSS?

Cross-site scripting (XSS) is a security bug that can affect websites. If present in your website, this bug can allow an attacker to add their own malicious JavaScript code onto the HTML pages displayed to your users. Once executed by the victim's browser, this code could then perform actions such as completely changing the behavior or appearance of the website, stealing private data, or performing actions on behalf of the user. The browser has no way to distinguish between legitimate vs non-legitimate scripts. Therefore it trusts and executes the JavaScript which in some cases is malicious code.

There are 3 types of XSS vulnerabilities to protect against:

  • Reflected XSS: Also known as a non-persistent XSS attack, reflected XSS attacks bounce malicious script off another website to the user’s browser.
  • Stored XSS: Stored, or persistent XSS, involves inserting malicious code directly into the web application.
  • DOM XSS: DOM-based XSS is an attack where the malicious script appears in the Document Object Model rather than in the HTML.

Why XSS Has Risen in Use

In the survey mentioned above listing XSS as the #1 web vulnerability, they identified that its use rose 36% in the past year. What has caused this dramatic increase? The main reasons have to do with the nature of web applications in 2019:

  • Increased use of 3rd party libraries: More and more applications rely on 3rd party JavaScript libraries. A modern website could make use of dozens of libraries. This makes it very difficult to vet all the external libraries that are loaded on a web page. It’s very easy to miss a vulnerability in such scripts which could lead to XSS.
  • Increased data-centric applications: Modern applications are data-driven, and more data could lead to more code that handles that data. It could be hard to sanitize data in all code paths.
  • Client heavy applications: Modern applications are very client-heavy. The logic has shifted from server-side processing to client-side processing. Heavy client logic and input processing can make these applications susceptible to DOM-based XSS attacks.

In general, there could be many ways a user is able to submit input to an application. This makes it difficult to sanitize input from all these paths and complicates server-side protection for XSS.

Why does it matter to your organization?

Cross-site scripting issues have been present since the 1990s. Recently, however, attackers have found newer and sneakier ways to exploit it – and not in a small way.

  • Facebook has battled various XSS exploits and bad publicity as it tried to secure its platform for millions of users at risk.
  • Some of the world’s largest platforms (including Reddit, Amazon Music, Tinder, Pinterest) risked compromise to a staggering 685 million accounts as a result of a third-party XSS vulnerability

The fact is, all organizations need to protect against XSS attacks. Cross-site scripting was listed as the top vulnerability in every industry.

The impact of XSS can be felt in organizations of any size. The main impact of an attack will be felt in two areas:

  • End users are exploited. Theft of PII or sensitive information can leave your customer’s financial or personal information vulnerable. Not only will this cause GDPR compliance issues, but your users will also feel the impact the hardest. XSS can be exploited in many different ways:
    • Payment information exfiltration
    • Account hijacking
    • Credential theft
    • Drive-by downloads via malicious redirects
    • Competitor Ads
  • Brand impact. As a result of a data breach that negatively affects your end-users or releases sensitive company information, your brand could take a significant hit. Companies that have suffered significant data breaches such as Equifax or Capital One struggled to regain their brand reputation and the trust of their customers.

Preventing Cross-site Scripting Vulnerabilities

Tala Security provides a complete client-side security solution that protects you against XSS and other client-side attacks such as content injection, data exfiltration, and PII/sensitive data exfiltration. 

To protect against XSS, Tala first analyses your application in order to generate very fine-grained security policies. Tala then helps you generate the most precise Content Security Policy (CSP) possible to protect your application against XSS attacks. Tala’s approach takes strategies used by Google and automates the process of generating CSPs for all your web applications. This allows your IT team to scale your CSPs to meet the increasing demands of your applications in a way that is impossible with today’s web architectures.

Cross-site scripting attacks are a rising concern for all industries and will continue to be a favored strategy for cyber-criminals. By taking the right steps, you can protect your users and your brand from the risks of XSS.



 

Mark Bermingham, VP of Marketing at Tala Security

Written by Mark Bermingham, VP of Marketing at Tala Security

Mark brings a wealth of industry knowledge and a solid understanding of marketing technology. He is responsible for Tala’s awareness building and go-to-market strategies including analyst relations, market research, communications, digital marketing, demand generation, PR and partner marketing. Prior to Tala, Mark held senior marketing roles with Source Defense, NetShield and Kaspersky Lab. Mark holds an MBA from UCLA’s Anderson School.