Cross-site scripting (XSS)

Cross-site Scripting (XSS) is a security vulnerability usually found in websites and/or web applications that accept user input. Examples of these include search engines, login forms, message boards and comment boxes.

Cybercriminals exploit this vulnerability by inputting strings of executable malicious code into these functions. This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website. The code may also present itself as transient content that isn’t actually part of the website but only appears to be to the visitor. This makes it look like the website is indeed compromised by cybercriminals.

Cybercriminals may also use this vulnerability to take control or directly compromise a website, as well as exploit other existing vulnerabilities on the website's server or software.

How XSS Works:

  1. Cybercriminals choose their target website, and scope out its vulnerable functions that accept user input. Examples are search bars, login forms, and comment boxes.
  2. They input malicious code into the function they choose. The malicious code could be written using programming language such as HTML or JavaScript, among others.
  3. The malicious code gets injected on the web page that results from the function (search results or a comment in a comments page). It then becomes part of that web page, making it compromised.
  4. Depending on how the code is injected, the malicious content may not even be on the actual web page itself, but rather as a transient element that only appears to be part of the website during the particular instance of the exploitation. This can create the illusion that the actual website is indeed compromised, when it is actually not.
  5. Users may become victims of the compromised web page by either getting linked to it by the cybercriminals responsible, or stumbling upon it, depending on which function the culprits decided to abuse.
  6. The routines that the injected code could run on a victim’s system may vary from the harmlessly annoying to the outright malicious. It could be as harmless as an unexpected image being displayed among the legitimately-published content on that website, to something that redirects the user to a malicious website and/or downloads malicious files onto their system automatically. It can also be used to steal critical personal information from the victim, such as login information.

Why Is XSS Dangerous?

  • With XSS, cybercriminals can turn trusted websites into malicious ones, thus causing inordinate harm and damage not only to the victims but also to the reputation of the trusted website's owner.
  • Websites that are compromised by XSS can cause any number of threats to attack a user's system. This can involve anything from inappropriate content being displayed to malware being downloaded onto the system without the user knowing.

What Can Users Do?

As dangerous as XSS is, there are ways in order to patch such a vulnerability. Website owners must ensure that all their web applications that accept user input do so in such a way that they will sanitize the inputted strings first before creating the resulting page of the input. This prevents any code injection from taking place. Users, on the other hand, should disable scripting on their browsers, as well as avoid clicking on links from suspicious parties or senders.

Website developers/owners should:

  • Ensure that any page on their website that accepts user input filters out code inputs, such as HTLM and JavaScript.
  • Scan for any web application vulnerabilities and patch them accordingly
  • Update their website and server software to prevent future exploitation of vulnerabilities that may also be targeted through an XSS attack.

Users should:

  • Disable scripting on pages where they’re not required, or disable them completely.
  • Avoid clicking on links from suspicious email or posts on messageboards, as they may lead to compromised pages.
  • Access desired websites directly through their address, and not through a third-party source or link.
  • Update their system software and applications regularly to prevent secondary vulnerability exploitation.