Cross-site scripting attack exposes the flaw that allows the attacker to store a malicious script on a target website or trick the victim to submit the script to the target website that is shown to the client. The script is usually written in JavaScript. An important point to note here is that although the script could be stored in the target website, it does not run on that website. The script runs on the user's browser and is capable of doing every action that the user could perform on the target website. Since the aim of this attack is to run a malicious script on the client, it is known as a client-side attack.
A vulnerable website would lend a helping hand to this malicious activity by failing to do proper input validation. Do you expect a user to use a JavaScript as an input to any field? If the developers of the web application would filter out all the metacharacters before storing the data on the website or before reflecting the data back to the browser, you could defeat the cross-site scripting attack.
The attack potential of the XSS flaw is not just limited to attacking the same website or stealing information from the browser; the attacker can also use it to target other website. Here's an illustration of a cross-site scripting attack:
An easy way to identify whether a web page is vulnerable to an XSS attack is by using the following harmless script in the input fields of the form. If a dialog box is displayed, the web application is not filtering the metacharacters and is vulnerable to an XSS attack:
<script>alert("Vulnerable to XSS!!");</script>An example of XSS vulnerability is shown in the following screenshot:
The web application failed to perform proper input validation and passed the entire script back to the browser and the dialogue box popped up.
XSS vulnerabilities generally appear in two flavors:
- Persistent or stored XSS flaws: In the persistent XSS vulnerability, the attacker tricks the vulnerable website to store the input containing the script. At a later time, when a user views that input, the script are sent to the browser and executes without any filtering.
The forums and the review section of online shopping websites are often targets of stored XSS attack.
- Non persistent or reflected XSS flaw: A reflected XSS flaw would use a phishing email to send the link to the vulnerable website to the victim. The link is formatted in such a way that the malicious script is made to look a part of the URL. When the victim clicks on the URL, the script is reflected back the browser and executes on the client side.
Here are the various ways of XSS attacks:
- Steal user password and cookies
- Scan other websites and servers
- Engage the browser into transactions on the vulnerable server without user knowledge
- Redirect the user to another website
- Steal files from the victim's computer
We will discuss more about XSS in Chapter 6, Exploiting Clients Using XSS and CSRF Flaws, where we go deep into XSS flaws and learn about the various ways to identify them using the tools in Kali Linux.