Cross-Site Scripting (XSS)
What is Cross-site Scriping (XSS)?
Cross-Site Scripting is the injection of malicious scripts into a normally trusted web application. This is possible whenever user input (for example on a website) is not sufficiently validated either on the client- or the server-side. These scripts contain malware that enables the hacker to perform a variety of attacks.
Cross-Site Scripting attacks are very common in web applications and APIs.
Companies That Trust us
How Crashtest Security Enables Cross-Site Scripting Testing
The Crashtest Security Suite is a UX-optimized user interface to operate our powerful in-depth scanner engine. This allows the easy setup, operation, and remediation of vulnerability scanning. During our 14-day free trial, you can experience the rapid project setup (less than 2 minutes), the scan depth and speed, as well as the built-in wiki with advice for fixing cross-site scripting vulnerabilities.
We will scan for:
- SQL Injection
- Cross-site Scripting (XSS)
- Framework and CVE Entries
- TLS / SSL Configuration
- Cross-site Request Forgery (CSRF)
- ..All Other OWASP Attack Vectors
Different Types Of Cross-Site Scripting Attacks
Stored Cross Site Scripting
- Script is persistently stored in web app
- Users visiting the app after the infection retrieve the script
- Malicous code exploits flaws in the web application
- The script and the attack is visible on the server side (to the app owner)
Through a stored XSS attack, the hacker can inject the malicious script persistently into a web application.
That script can be submitted via an input field on the web application and infect the web server which stores it in its database. This means that from then on, all other users retrieve this script whilst accessing information and therefore their session cookie might be accessible.
Reflected Cross Site Scripting
- Script is not stored in the web application
- Malicious code is shown to only one user
- Users that open the link execute the script when app is opened
- The script and the attack is not necessarily visible on the server side (to the app owner)
A reflected XSS vulnerability shows the malicious input directly to the user of the web application.
This might include that a search form reflects the unvalidated input and shows what the search key was. An attacker could use this to create a URL containing malicious script and spread it. Users opening the link are getting to a web application where the malicious script is run in the user’s web browser.
DOM Based Cross Site Scripting
- Script is not stored in the web application
- Malicious code is shown to only one user
- Malicious code exploits flaws in the browser on the user side
- The script and the attack is not necessarily visible on the server side (to the app owner)
A DOM-Based Cross-Site Scripting attack can even be executed if the backend is totally secure. In order to do this, attackers use flaws in the JavaScript which is executed in the web browser.
DOM stands for Document Object Model and is an interface to web pages. It is essentially an API to the page, allowing programs to read and manipulate the page’s content, structure, and styles.
Copyright © Crashtest Security GmbH 2021. All rights reserved.