Cross Site Scripting

Cross Site Scripting (XSS) will allow an attacker’s malformed parameter to manipulate the anticipated functionality of the web application. This is usually performed via modifying underlying HTML or JavaScript. The most common XSS attack vector results in malicious JavaScript running on a client’s browser within the scope of the vulnerable web application. Attackers attempt to levy this initial foothold to: steal session data, compromise sensitive information from either the site or browser, or run exploits against the end user’s client system.

Exploitation

A “textbook” XSS attack can be demonstrated stealing random user session IDs (SIDs) visiting a blog. A malformed comment value is provided by the attacker containing JavaScript. Once rendered, the Javascript transmits a SID to an attacker controlled endpoint.

XSS exploitation usually necessitates overcoming multiple site-specific technical challenges. Its rarely this simplistic.

Remediation

XSS is best prevented by a combination of input validation and output encoding. Functionality to automate this safeguard is available within most modern frameworks/languages; such as the ASP.Net AntiXssEncoder.

Other security mechanisms are constantly evolving to outmaneuver prevalent XSS techniques. For example, the “HTTP-ONLY” parameter prevents JavaScript from accessing a SID.