Security News

Understanding and preventing cross-site scripting attacks

David Strom, 4 November 2020

Getting to know these highly customizable cyberattacks and how to protect yourself from them

You wouldn’t think an attack method that was first found more than 20 years ago would be at the top of anyone’s list of popular current attacks. But that is the case for Cross-Site Scripting (XSS), a method that was first discovered by Microsoft engineers at the turn of the century.

Our XSS explainer webpage goes into more detail about the different attack types and some of the more notable attacks and victims down through the years. Top marks were issued by MITRE’s Common Weakness Enumeration group, which also listed 24 other dangerous software weaknesses. Other malware-watchers have also attested to XSS’ popularity over the years, such as being #7 on the list of the OWASP top ten website vulnerabilities back in 2017. 

The basic idea is to take a targeted website and inject some code into its webpages so it loads content from other domains. This could take the form of a malicious login page, a set of session web cookies that can load malware, or a SQL injection or other kinds of compromises. A user is tricked into clicking on a malicious link to start things up. At that point, the user could divulge their passwords or permit an attack to take remote control over their PC completely, depending on the design of the malware.

One of the more infamous XSS attacks was called Samy, which infected more than one million users back in 2005 in less than a day. The malware wasn’t all that dangerous, except for its author, Samy Kamkar, who ended up paying a $15,000 fine and having to spend three years without any internet connection on probation.

XSS shows up in many places as just a supportive player in the malware attack. One infamous attack was seen by Uber back in 2018. HackerOne paid out a bug bounty of $3,000 to fix the issue. Another more recent example was seen last month, in which XSS played a role in fooling users into thinking they were dealing with a legitimate tech support person. In this particular case, the scammer was able to convince its victims to pay for the support to “unlock” their browsers, making use of XSS within one of the multiple deception layers used by the scammers.

So what can you do if you administer a website? There are numerous helpful resources, include these two cheat sheets from OWASP (1, 2) that involve cleansing your inputs. “Basically, you want to employ a combination of validating, filtering, encoding and escaping methods to prevent untrusted user input from executing on the web app,” says George Mathias in his Medium blog post. That post also has more details about historical XSS attacks and other suggestions. If you run a WordPress blog, here are a few suggestions to improve your site’s security posture. Some of these apply to any web server installation, such as choosing something other than “admin” as your site login and employing multi-factor authentication protection.

For those of you that want to beef up your own browsing security, you should also make use of Avast BreachGuard and use better browsers, such as Avast Secure Browser.