Cross Site Scripting (XSS)

What is Cross-site Scripting (XSS)

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks allow attackers to inject client-side scripts into web pages viewed by other users.

Cross-site scripting vulnerabilities could be used by attackers to bypass access controls such as the same origin policy. Cross site scripting is also included in the list of Top 10 OWASP (Open Web Application Security Project) vulnerabilities.

The reason for using XSS instead of CSS is because CSS is already used for cascade style sheets.

How does XSS work?

Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to the victim. When malicious code is executed inside the victim's browser, attackers can completely bypass client-side security, obtain sensitive information, or store malicious applications.

What are the types of XSS attacks? 

1. Reflected XSS
Reflected XSS is the most common type of XSS and the easiest for attackers to do. Attackers use social engineering to get links with this malicious code to be clicked by the victim or opened in the victim's browser. This way the attacker can get the victim's cookie which can be used later to hijack the user's session.

2. Stored XSS
Stored XSS lebih jarang ditemui dan dampak serangannya lebih besar. Stored XSS involves an application receiving data from a malicious source and storing the data for use in later HTTP responses. This is also known as second-order or persistent XSS, because it persists in the system.
The data can come from any untrusted source that sends an HTTP request to the application, such as comments posted on a blog or an application that displays email messages using SMTP.

3. DOM-based XSS
This attack occurs when a web application writes data to the Document Object Model (DOM) without proper sanitization. Attackers can manipulate this data to include XSS content on web pages such as malicious Javascript code.

Impact of XSS vulnerabilities : 

There's a reason why it's on OWASP for 2013 and 2017. XSS can have huge implications for web apps and their users. User accounts can be hijacked, credentials can be stolen, sensitive data can be retrieved, and lastly, access to your client computers can be obtained.

How to Prevent Cross-Site Scripting Attacks?

1. Sanitizing Inputs
Reflected and stored cross-site scripts can be cleaned on the server side by implementing Sanitizing Inputs. 

Blacklisted characters that are deemed unsafe won't work long term as some malicious users might look for shortcuts to it as is usually the case. All you need to do is whitelist what's allowed.

2. Use HTTPOnly cookie flag
It's hard to prevent all the XSS flaws in your application. To reduce the impact of XSS vulnerabilities, use the HTTPOnly flag—if the browser supports it, this flag ensures that cookies are inaccessible to client-side scripts, effectively blocking XSS attacks.

Set the HTTPOnly flag on session cookies, and any custom cookies that your JavaScript code doesn't access. The flag is enabled in the default .NET application, but needs to be enabled manually in other languages.

3. Implement Content Security Policy
Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities. If an application that employs CSP contains XSS-like behavior, then the CSP might hinder or prevent exploitation of the vulnerability. Often, the CSP can be circumvented to enable exploitation of the underlying vulnerability.

4. X-XSS-Protection Header
The HTTP X-XSS-Protection header is a feature available in popular browsers like Google Chrome and Internet Explorer, which filters suspicious content to prevent reflected XSS attacks.  If the header detects XSS, it blocks the page from loading, but doesn’t sanitize inputs in the page.

However, reliance on the X-XSS-Protection header can create additional client-side security risks. It should be used with caution. It is recommended to set the header to X-XSS-Protection: 0, which disables the XSS Auditor and prevents it from following the default response behavior of the browser.

5. Implement Web Application Firewall ( WAF )

Web Application Firewall (WAF) is used to minimize or prevent attackers from executing XSS. However, most of them have been able to bypass the Web Application Firewall (WAF), so the solution to implement WAF just to minimize.