Everything You Need to Know About Cross-site Scripting (XSS) Attacks

June 23, 2021

With Magecart-like and e-skimming attacks on the rise, the need for client-side security programs is critical. To date, security teams have been primarily focused on protecting their networks. Threat actors know this and have pivoted their tactics, techniques and procedures (TTPs) from the server-side to the client-side. Hackers go after the low hanging fruit–like  vulnerable websites and web applications. As a result, many security teams are shifting their focus from the server-side to the client-side to enable improved protection of customer data.

In this blog, we’ll take a closer look at cross-site scripting attacks and document-model (DOM)-based XSS attacks and what businesses can do about them. 

What is Cross-site Scripting (XSS)?

Cross-site scripting (XSS) is a security vulnerability typically found in web applications that allows threat actors to bypass access controls. XSS injects the malicious code into target website content, making it a part of the website. This allows the threat actor conducting an XSS attack to target victims who may visit or view that website. 

What is DOM-based XSS?

In DOM-based XSS attacks, the threat actor’s payload is executed as a result of modifications to the DOM environment in the victim’s browser, which was used by the original client-side script. As a result, the client-side code runs differently than it was originally designed to. The page itself doesn’t change, but the client-side code on the page executes differently due to the malicious DOM environment modifications.

What is an XSS Attack and How Does it Work?

In short, XSS is a client-side code injection attack. The user is the victim, not the application. The easiest of the XSS-type attacks to execute are JavaScript injection attacks. In XSS attacks, malicious scripts are injected into trusted websites. A threat actor then uses a web application or website to send malicious code, generally in the form of a client-side script, to a different user. 

  • Step 1
    • The attacker injects script onto target servers such as databases, message forums, visitor logs, or comment fields.
  • Step 2
    • The victim inadvertently retrieves the malicious script and activates it in their browser. 
  • Step 3 
    • The attacker uses the malicious code to hijack user browser sessions, take over user accounts, disclose end-user files, install malware, redirect the user to other pages, or modify content on the target website. 

Why Attack the Client-side with XSS Attacks?

Exploiting vulnerabilities on the client-side is one of the simplest ways for threat actors to start stealing data, take over user accounts, disclose data, install malware for future nefarious purposes, or otherwise deface target websites. Once an attacker has access to a website or web applications, they can damage both the business and reputation in a variety of ways. Not only can attackers steal data and sell it on the dark web for profit, they can also swap out text and images on your websites with everything from competitor messaging, to hate speech, to pornography. 

One big thing to note is that the victim of XSS attacks is the user, not the application. What this means is that the business who is hosting the application is under attack, but the user is being targeted to get to the business. XSS attacks happen outside of the traditional security perimeter and the traditional attack surface—that is, the attack surface within the business network or inside the firewall. Most security technologies miss XSS attacks, ensuring that XSS attacks can go on for months without detection and action. Attackers are increasingly circumventing corporate cybersecurity programs and security technologies. The user is the weak point, so why not exploit them instead?

What Can I Do to Protect My Business and My Customers? 

Regardless of your role—be it marketeer, customer service representative, security professional or application developer— you are responsible for protecting your most critical assets—your customers. In order to grow your business and avoid costly data breaches, it’s your responsibility to prevent XSS attacks and the associated data exfiltration. 

XSS vulnerabilities that allow for injection attacks are hard to identify. It is also relatively difficult to remove the malicious code from your web asset and keep malicious code off there for good. Application developers and security professionals need to work hand in hand to continuously scan their web applications and web sites for XSS vulnerabilities and patch them immediately. One thing to note is that without an automated web application client-side protection tool, the continuous scanning and patching process is extremely time consuming.

Lastly, don’t put your faith in a content security policy (CSP) as the silver bullet to protect you from XSS attacks. Read our blog on CSP here for more information. 

In Closing

The dangers that come through the client side are significant, but with knowledge of what is needed, businesses can achieve the right level of security to protect their customers. I encourage you to check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers being able to benefit from XSS attacks. If you would like to see our products in action, please request a demo here

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.