2.7.2 Cross-site Scripting Attacks

Cross-site scripting (CSS or XSS) is a type of code injection attack where an attacker uses a web application to send malicious scripts. Client-side scripts are injected into trusted websites. When the user interacts with the website, the XSS sends a malicious script to the user’s browser which trusts it because it believes it is from a trusted source and thus executes the script. The script can then access information that the browser retains including session tokens and cookies and send to the attacker. The script can alter the HTML page in the user’s browser so that the user is tricked into doing something on the page, such as enter username, password, account number, etc. The script can also damage server-side scripts by exploiting the trusted connection that the server has with the user’s computer; the server is not expecting to be attacked from a trusted partner.

To combat XSS, input should always be validated. HTML sanitization tools should also be used to clean up input data. When the website generates output, it should be filtered for unexpected characters and encoding and escaping schemes, such as JavaScript escaping, CSS escaping, HTML encoding, or URL encoding, should be used. An XML/HTML application can be exposed to a XSS vulnerability because the CDATA content is unparsed and therefore will be missed by schema validation based input validation filters. To help prevent hijacking of cookies, the application should require that cookies must have the same IP address as the original user. This will not stop attackers who spoof IP addresses but it will stop attackers who hijack cookies for future use.

For users, they can disable scripts in their browser to prevent XSS attacks. This action may limit what the user can do on a website. Alternatively users can install a browser plugin that blocks all scripting by default yet allows a user to enable it for websites that they trust.