XSS attack on a web app example
Cross-Site Scripting (XSS) is a type of security vulnerability where an attacker injects malicious scripts into content that is delivered to users by a web application. These scripts are executed in the context of the user's browser, potentially leading to various malicious outcomes such as data theft, session hijacking, and defacement of websites.
Types of XSS
- Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database) and is served to users who request the stored data.
- Reflected XSS: The malicious script is reflected off a web server, such as in an error message or search result, and is immediately sent back to the user.
- DOM-based XSS: The vulnerability exists in the client-side code rather than the server-side code. The script is executed as a result of modifying the DOM environment in the victim’s browser.
Example Scenario
Imagine a web application with a comment section where users can post comments. If the application does not properly sanitize user inputs, it can be vulnerable to XSS attacks.
Vulnerable Code
Here is an example of a vulnerable PHP script:
<?php
// Assume the comment is retrieved from a database
$comment = $_POST['comment'];
// Display the comment on the page
echo "<div>" . $comment . "</div>";
?>
Stored XSS Attack
An attacker can submit a comment containing a malicious script:
<script>alert('XSS Attack');</script>
When the stored comment is displayed to users, the script executes in their browsers:
<div><script>alert('XSS Attack');</script></div>
Consequences
- Data Theft: The script can steal cookies, session tokens, or other sensitive information.
- Session Hijacking: The attacker can hijack user sessions by stealing session cookies.
- Defacement: The attacker can alter the content of the website, leading to defacement.
- Malware Distribution: The script can redirect users to malicious websites or download malware.
Preventing XSS
1. Output Encoding
Encode data before displaying it in the browser to ensure that it is treated as text rather than executable code.
Example using PHP’s htmlspecialchars function:
<?php
// Assume the comment is retrieved from a database
$comment = $_POST['comment'];
// Encode the comment to prevent XSS
echo "<div>" . htmlspecialchars($comment, ENT_QUOTES, 'UTF-8') . "</div>";
?>
2. Input Validation and Sanitization
Validate and sanitize user inputs to ensure that they do not contain malicious code.
Example:
<?php
$comment = filter_input(INPUT_POST, 'comment', FILTER_SANITIZE_STRING);
?>
3. Content Security Policy (CSP)
Implement CSP to restrict the sources from which scripts can be executed. This can help mitigate XSS attacks by preventing the browser from executing unauthorized scripts.
Example CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trustedscripts.example.com
4. Use Secure Libraries
Use libraries and frameworks that are designed with security in mind and handle data sanitization and encoding.
Reflected XSS Example
A common example is a search feature where the input is reflected in the search results page.
Vulnerable Code:
<?php
$search = $_GET['q'];
echo "Search results for: " . $search;
?>
Attack Vector:
An attacker can craft a URL like:
http://example.com/search.php?q=<script>alert('XSS Attack');</script>
When a user clicks the link, the script executes in their browser.
Preventive Measure:
<?php
$search = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8');
echo "Search results for: " . $search;
?>
DOM-based XSS Example
A JavaScript function that directly writes user input to the page can be vulnerable.
Vulnerable Code:
<script>
var search = location.hash.substring(1);
document.write("Search results for: " + search);
</script>
Attack Vector:
An attacker can create a link like:
http://example.com/#<script>alert('XSS Attack');</script>
When a user visits the link, the script executes.
Preventive Measure:
<script>
var search = location.hash.substring(1);
document.write("Search results for: " +
document.createTextNode(search).nodeValue);
</script>