What is Cross-site Scripting (XSS) and how can you fix it? – 10 minute mail

Cross-site scripting (XSS) is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users. Listed as one of the OWASP Top 10 vulnerabilities, XSS is the most common vulnerability submitted on the Disposable mail Crowdsource platform therefore a security risk our tool continually checks for. 

Image depicting cross-site scripting XSS

Cross-site scripting: What can happen?

The attacker may:

  • gain access to users cookies, session IDs, passwords, private messages, etc
  • read and access the content of a page for any attacked user and therefore all the information displayed to the user
  • compromise the content shown to the user

A notable XSS attack was the Tweetdeck XSS worm published in 2014. It allowed the attacker to spread his malicious payload to all Tweetdeck users via Twitter, hence causing a mass compromise of Twitter accounts.

Example of Cross-site scripting (XSS)

To show how the vulnerability works, let’s look at an example. Say you have a search box on your site. If there is no result, the site should say “Could not find any pages when searching for [what the user searched for].”.

Doing this in PHP it might look something like this:

This would, in other words, output the user supplied data (the search query) straight into the HTML document. If the search query contains HTML, the user’s web browser will render it. Imagine an attacker sends a link like the following to a victim:

http://example.com/search.php?query=

This would make the victim search for:

 

Since there is no validation of the data, the target browser will render:

Could not find any pages when searching for 

The injected HTML will be executed. The HTML contains a script tag which will evaluate JavaScript. The JavaScript will grab the user’s cookie and send it off bounds to a third party domain of the attackers control. The attacker will then be able to set their own cookie to the victim’s stolen one, hence gaining access the victim’s data. This is a common example of a privilege escalation attack by the means of cross-site scripting and session riding.

Cross-site scripting Remediation

The remediation of XSS vulnerabilities is heavily context-dependent and the patches vary. Here are some general tips (where UNTRUSTED is where user supplied data).

HTML Body

Example

UNTRUSTED

Solution
Convert to HTML entities (ie. & to & etc).
See PHP htmlspecialchars()

HTML Attributes

Example


Solution
Convert the untrusted user input to HTML entities to prevent the creation of other attributes and nver let any user data into the “id”, “class” or “name” parameters. Be very cautious when providing user data into DOM event handlers (e.g. onclick), at they are made to execute JavaScript.

Untrusted URL

Example

link

Resources

This article was updated on 7 August 2018.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.