• Identity 101
  • XSS Vulnerability 101: Identify and Stop Cross-Site Scripting

XSS Vulnerability 101: Identify and Stop Cross-Site Scripting

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 04/21/2022 - 1:04
Time to read: 4 minutes

Cross-site scripting (or XSS) is a form of injection attack. A hacker places malicious code inside some part of a legitimate website or application. The target visits, and the code executes.

At the end of an XSS attack, a hacker has unauthorized access. That person could, for example, grab a user's session cookies. With that bit of data, the hacker could impersonate the victim and do something undesired, like steal money. Thankfully, there are ways to protect your site.

No web designer sets out to create a trap. But unfortunately, XSS attack vulnerabilities are widespread. In fact, some experts say “many” sites include them. If yours does, you put all of your visitors at risk.

What is cross-site scripting?

XSS (or cross-site scripting) is a security vulnerability you've coded into your website. Hackers use XSS to change or take over interactions your visitors would normally have with your website or app.

XSS twists the web's same-origin policy. That involves:

  • Connection. A device links with a website or app.
  • Permission. The website and the device connect through mutual agreement. The device might store cookies, for example. 
  • Skipping. With the two steps above complete, the device will trust the website with future requests. No more authorization is required. 

A hacker implants malignant code somewhere on your site and app. The user’s device runs the code without even checking, as it seems like it comes from a valid source. 

Problems like this can be remarkably widespread. For example, researchers uncovered a vulnerability inside a WordPress tool installed on about 100,000 websites. The hacker doesn’t need to change the code each time. As soon as a visitor taps into an infected site, the script can run. 

How do CSS attacks begin?

Devices and websites don't always engage in one-way communication. The two trade data, and if developers don't analyze or block inputs from users, XSS problems begin.

cross site scripting

 

The website includes user input inside the page code. The hacker inserts a malicious string in that vulnerable code. The next visitor can become a victim.

 

how xss works

XSS is different from a cross-site request forgery (or CSRF). Here, an attacker can entice someone to issue a request. But the hacker can't always see the response. In an XSS attack, the hacker can execute code, see the response, and even move out of the site with data.

2 types of XSS attacks

Every XSS attack begins with malicious code. But as any developer knows, there are thousands of different code types available.

OWASP recognizes two main types of XSS attacks:

  • Server: The malignant code is included within an HTTP response your server generates. 
  • Client: The malignant code comes from a user, and it updates the DOM. 

Some XSS attacks are transient, and they work just once. Others are persistent and can remain stored on the server, on a target’s device, or both.

9 cross-site scripting attack vectors

Vulnerable code is critical in building XSS attacks. Hackers typically look for a common vulnerability. 

Tags typically start the attack. These nine tag types are considered vulnerable:

Tags typically start the attack. These nine tag types are considered vulnerable:

  • body
  • div
  • frame
  • img
  • input
  • link
  • object
  • script
  • table

You can’t build a website without using one or several of these tags. They’re incredibly common, and users tend to want the functionality they deliver. You can’t protect your site by eliminating them.

How to limit your cross-site scripting attack risk

Any time you allow unfiltered user inputs into your outputs, you raise your risk of an XSS attack. You increase your risk if you use tools like Flash, VBScript, and JavaScript.

OWASP says the best way to lower your risk is to use context-sensitive server-side output encoding. In essence, you use a different response to the inputs your visitors give you.

Other techniques include:

  • Content security. Use the Content Security Policy (CSP) tool. With it enabled, the browser checks scripts before running them. Anything unusual is rejected before it runs.
  • Encoding. Ensure that your outputs are encoded, so they don't seem like active content.
  • Filters. Determine what inputs seem typical or expected. Reject any user input that seems unusual.
  • Headers. Prevent code in HTTP responses that shouldn't include HTML.
  • Java. Don't allow JavaScript on your site.

Close monitoring is crucial. Ensure that you know when code heads to your visitors from your website, and shut down anything that seems to run haywire.

If you're hoping to learn more about XSS and other attacks, download Okta's Security Technical Whitepaper today.

References

Cross-Site Scripting: Many Websites Remain Vulnerable to Common Web Exploit. (November 2015). The State of New Jersey.

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover. (August 2021). Threat Post.

Types of XSS. OWASP.

Cross-Site Scripting (XSS). OWASP.