# What is Cross Site Scripting (XSS or CSS)

February 3, 2018

Nowadays, with the network expanding quickly, especially Web 2.0 increasing, internet is not anonymous to us anymore. It is a good platform for users to communicate, chat, do business or play game together. For instance, we usually go to Google to search information, Amazon or E-Bay to buy books and many other goods and we also go to My-Space to communicate with friends. Therefore, there is no doubt that Internet is gradually becoming an integral part our daily life. So providing a beneficial and safe networking environment is significantly necessary. If there is vulnerability in a famous website, a lot of visitors will be attacked customers and the result cannot be imagined. XSS is the most common security vulnerability in software today. This should not be the case as XSS is easy to find and easy to fix. XSS vulnerabilities can have consequences such as tampering and sensitive data theft.

### Overview

With the Internet expanding quickly, there are more and more vulnerabilities which threaten billions of customers. Therefore, we must prevent these vulnerabilities from happening in order to provide a safer environment for surfing the Internet.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of un-validated or un-encoded user input within the output it generates. Cross-Site Scripting (also known as XSS) is one of the most common application-layer web attacks.

XSS vulnerabilities target scripts embedded in a page that are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat that is brought about by the internet security weaknesses of client-side scripting languages, such as HTML and JavaScript. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page that can be executed every time the page is loaded, or whenever an associated event is performed.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. While XSS can be taken advantage of within VBScript, ActiveX and Flash (although now considered legacy or even obsolete), unquestionably, the most widely abused is JavaScript – primarily because JavaScript is fundamental to most browsing experiences. Figure 1 show the example of XSS

#### Figure 1: Example of XSS

To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject malicious script into its server (e.g., via a comment field). One of the most frequent targets are websites that allow users to share content, including blogs, social networks, video sharing platforms and message boards. Every time the infected page is viewed, the malicious script is transmitted to the victim’s browser.

### Key Concept of Cross Site Scripting

• XSS is a web-based attack performed on vulnerable web applications.
• In XSS attacks, the victim is the user and not the application.
• In XSS attacks, malicious content is delivered to users using JavaScript.

### Types of XSS

While the goal of an XSS attack is always to execute malicious JavaScript in the victim’s browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:

• Persistent XSS, where the malicious string originates from the website’s database.
• Reflected XSS, where the malicious string originates from the victim’s request.
• DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.

### Impact of Cross-Site Scripting

When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials. They can also spread web worms or access the user’s computer and view the user’s browser history or control the browser remotely. After gaining control to the victim’s system, attackers can also analyze and use other intranet applications.

By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:

• Hijack an account.
• Access browser history and clipboard contents.
• Control the browser remotely.
• Scan and exploit intranet appliances and applications.

### References

[1] Rodolfo Assis, “What is an XSS Vulnerability?” available online at: https://blog.sucuri.net/2016/04/what-is-an-xss-vulnerability.html

[2] “Cross-Site Scripting (XSS) Tutorial: Learn about XSS Vulnerabilities, Injections and How to Prevent Attacks”, available online at: https://www.veracode.com/security/xss

[3] “Cross Site Scripting (XSS) Attacks”, available online at: https://www.incapsula.com/web-application-security/cross-site-scripting-xss-attacks.html

$${}$$