Cross site scripting - Why Care?
Why care about cross site scripting (XSS)?
Cross site scripting (XSS) is one of the top ten web-based <a vulnerabilities. XSS abuse results in remote code execution in the victims browser. The attacker can emulate user actions in the browser window the same as the victim. Exploitation occurs early in an attack and provides a beachhead to escalate privileges, glean sensitive information, interact with other protected systems or accomplish other attacker goals.
An adversary can maintain control of the browser window as long as it is open. Adversaries may persist control after the initial window closes.
XSS is a client-side vulnerability and does not grant the attacker control of the server.
XSS presents in two forms 1) Reflected and 2) Stored. Both forms result from the software developer failing to enforce input validation rules. The adversary injects characters that change the application code’s flow yielding unauthorized control.
Reflected XSS occurs when the adversary arranges for a user to click a malicious link. The web application misuses parts of the Universal Resource Locator (URL) yielding attacker control. Reflected XSS attacks affect one user at a time.
Stored XSS occurs when the adversary persists malicious content in the applications data store. The application parses the malicious content when rendering the stored content. Stored XSS affect all site visitors that render the malicious code.
Controls and Mitigations
The primary control to prevent XSS is filtering input at the client and server. Developers can mitigate session hijacking through cookie settings, but this does not address man-in-the browser risk and additional attacks.
Additional XSS Resources