When hackers were asked about their favorite attack vector in 2019, the most popular response was cross-site scripting (XSS). While XSS is not a new method of attack, it has grown rapidly in visibility and impact in recent years.
As web applications become more data-centric and client-heavy, it’s more important than ever to protect them against attack.
What is XSS?
There are 3 types of XSS vulnerabilities to protect against:
- Reflected XSS: Also known as a non-persistent XSS attack, reflected XSS attacks bounce malicious script off another website to the user’s browser.
- Stored XSS: Stored, or persistent XSS, involves inserting malicious code directly into the web application.
- DOM XSS: DOM-based XSS is an attack where the malicious script appears in the Document Object Model rather than in the HTML.
Why XSS Has Risen in Use
In the survey mentioned above listing XSS as the #1 web vulnerability, they identified that its use rose 36% in the past year. What has caused this dramatic increase? The main reasons have to do with the nature of web applications in 2019:
- Increased data-centric applications: Modern applications are data-driven, and more data could lead to more code that handles that data. It could be hard to sanitize data in all code paths.
- Client heavy applications: Modern applications are very client-heavy. The logic has shifted from server-side processing to client-side processing. Heavy client logic and input processing can make these applications susceptible to DOM-based XSS attacks.
In general, there could be many ways a user is able to submit input to an application. This makes it difficult to sanitize input from all these paths and complicates server-side protection for XSS.
Why does it matter to your organization?
Cross-site scripting issues have been present since the 1990s. Recently, however, attackers have found newer and sneakier ways to exploit it – and not in a small way.
- Facebook has battled various XSS exploits and bad publicity as it tried to secure its platform for millions of users at risk.
- Some of the world’s largest platforms (including Reddit, Amazon Music, Tinder, Pinterest) risked compromise to a staggering 685 million accounts as a result of a third-party XSS vulnerability.
The fact is, all organizations need to protect against XSS attacks. Cross-site scripting was listed as the top vulnerability in every industry.
The impact of XSS can be felt in organizations of any size. The main impact of an attack will be felt in two areas:
- End users are exploited. Theft of PII or sensitive information can leave your customer’s financial or personal information vulnerable. Not only will this cause GDPR compliance issues, but your users will also feel the impact the hardest. XSS can be exploited in many different ways:
- Payment information exfiltration
- Account hijacking
- Credential theft
- Drive-by downloads via malicious redirects
- Competitor Ads
- Brand impact. As a result of a data breach that negatively affects your end-users or releases sensitive company information, your brand could take a significant hit. Companies that have suffered significant data breaches such as Equifax or Capital One struggled to regain their brand reputation and the trust of their customers.
Preventing Cross-site Scripting Vulnerabilities
Tala Security provides a complete client-side security solution that protects you against XSS and other client-side attacks such as content injection, data exfiltration, and PII/sensitive data exfiltration.
To protect against XSS, Tala first analyses your application in order to generate very fine-grained security policies. Tala then helps you generate the most precise Content Security Policy (CSP) possible to protect your application against XSS attacks. Tala’s approach takes strategies used by Google and automates the process of generating CSPs for all your web applications. This allows your IT team to scale your CSPs to meet the increasing demands of your applications in a way that is impossible with today’s web architectures.
Cross-site scripting attacks are a rising concern for all industries and will continue to be a favored strategy for cyber-criminals. By taking the right steps, you can protect your users and your brand from the risks of XSS.