3 Types of Cross-Site Scripting (XSS) Attacks
Cybersecurity is a major concern online, and hackers can use multiple vectors to target your website. Learn about the three types of cross-site scripting (XSS) cyberattacks, how they overlap, and how to mitigate XSS vulnerabilities in your projects.
Security is a major concern in the cyber world. Without appropriate security measures in place, websites are vulnerable to cybercriminals via multiple attack vectors. Security breaches can cause:
- Database destruction or corruption
- Loss of confidential information
- Intellectual property theft
- Costs incurred by legal and regulatory breaches
To avoid these consequences, you should employ best practises and the right tools.
This article explores one common type of cyberattack: the cross-site scripting (XSS) attack. You’ll learn about the various types of XSS attacks, how they overlap, and how you can mitigate XSS vulnerabilities in your projects.
The concept of cross-site scripting
To carry out an XSS attack, the hacker inserts a malicious script into a website. Depending on the type of XSS attack, this script is then either transmitted to the victim or the website. The victim visits the website or tries to retrieve some data from the web server, launching the malicious script. The script usually introduces malware that steals sensitive data from the victim’s web server or browser or to change the website’s content.
There are numerous ways that hackers can exploit website vulnerabilities, as well as many strategies for counteracting them. If they aren’t quickly found and repaired, XSS vulnerabilities can lead to highly damaging attacks.
According to the Open Web Application Security Project (OWASP), XSS attacks fall into one of three categories: reflected XSS, stored XSS, and Document Object Model (DOM) XSS. These are detailed below.
Reflected cross-site scripting attack (non-persistent)
A reflected XSS attack occurs when a hacker delivers a malicious script to a vulnerable web application, which the server then returns in the HTTP response. The victim’s browser executes the malicious script as part of the HTTP response, compromising the legitimate user and sending private information back to the hacker.
Reflected XSS attacks typically target error messages or search engine result pages, as it’s easy to send a malicious email with a link that many users will click. When the user clicks the link, the server receives the request containing the malicious script, and since it’s not stored, it responds by sending a code back to the user. When user inputs aren’t adequately validated and sanitised, or when data is unsafely duplicated from a request, there’s a risk of reflected XSS vulnerabilities.
The first line of defence against XSS attacks is to filter content and verify user inputs. You can use script suppliers’ safelists and blocklists to reject risky data patterns.
Additionally, you can implement a stringent Content Security Policy (CSP) to help you identify the source of inline scripts, reducing the risk of reflected XSS attacks. A strong CSP gives you control of scripts and the web page locations where they may be loaded and run.
Stored cross-site scripting attack (persistent)
In a stored XSS attack, a malicious script saves user input to the target server. Unlike a reflected XSS attack, which executes on the server, a stored XSS attack executes on the user’s browser. Attackers then use modern HTML5 applications, typically employing HTML databases, to permanently store harmful scripts on the browser.
In a stored XSS attack, the script is saved and executed on the server every time the user accesses the affected website. It’s easy for an attacker to target a large number of victims, and the result is persistent. Stored XSS attacks can also occur when untrained users try to extract data from the software without taking any sanitisation or validation precautions.
Stored XSS attacks aim to reflect a malicious script to a user, so the easiest way to prevent them is to sanitise user data and handle inputs carefully—and the best way to prevent them is to use appropriate parameter binding.
You can sanitise data with an auto-escaping template system or HTML encoding. You should encode data intended for output to prevent the server from interpreting it as active content. This means the application will handle special characters in its saved data as HTML tag content, rather than plain HTML.
Data parameter (data) binding varies according to the vector, but you can always pass variables as additional values outside the normal functionality of the function. You can also use appropriate response headers to prevent attacks, typically by just adding a few lines of code.
Another technique to stop XSS attacks from occurring in real time is to employ dynamic security that actively searches for exploitation attempts. By blocking known patterns, you can stop attackers from exploiting existing loopholes.
Finally, you can use Web Application Firewalls (WAFs) for real-time XSS attack detection and mitigation.
Document Object Model (DOM) cross-site scripting attack
The DOM interface enables the processing and manipulation of web page contents by reading and modifying HTML and XML documents. DOM-based XSS attacks introduce malicious changes to the DOM context of the victim’s browser, causing the client-side code to be executed in unintended ways.
DOM-based XSS attacks, unlike reflected and stored XSS attacks, do not store the malicious script or deliver it to the server. In this attack, the victim's browser is the sole vulnerability. Since they’re more difficult to understand than other categories, DOM-based vulnerabilities are uncommon, sophisticated, and challenging to overcome. Moreover, automated vulnerability scanners and web application firewalls can’t easily identify them.
A novel defence against this type of attack is to use trusted types. This is a browser security mechanism that ensures that all risky parts of the DOM can only be used by data that has passed a predefined policy. It prevents arbitrary strings from being passed to potentially dangerous sinks, which helps the browser differentiate between code and data—removing the main source of vulnerability.
Server-side XSS versus client-side XSS
XSS attacks are categorised as either server XSS or client XSS. Client-side programmes run on the client’s device or browser and take care of the user interface and any other processing that takes place on the client’s device. Server-side programmes operate on servers and create the contents of a webpage.
Server-side XSS occurs when all the server-side code is vulnerable and the browser renders the response and runs any legitimate scripts embedded in it. On the other hand, client-side XSS executes on the user’s device and modifies a webpage after it has loaded.
An XSS attack is possible anywhere there is HTML. Whether they’re stored, reflected, or DOM-based, all XSS attacks have the same effect: An attacker gains complete control of a web session.
These XSS attacks can also overlap, and a website may be vulnerable to all three simultaneously. In the case of a single website or an offline application, all three attack types might present themselves directly in the browser. However, their behaviour may differ when the data is saved on the server compared to when it’s reflected from the server.
OWASP lists XSS as one of the top web application security risks due to its prevalence, far-reaching impacts, and different methods through which the attacks can be executed.
Attackers employ a range of strategies to deceive users. Each variety of XSS attack exploits a separate weakness, but they aren’t mutually exclusive. In some scenarios, a DOM-based XSS attack is combined with a reflected or stored XSS attack.
Although the techniques for preventing different XSS attacks are similar, a single strategy won't completely eradicate the risks. You should employ appropriate defensive tactics for every type of XSS attack.