Many organizations are heavily reliant on their web applications to interact with their customers. The interactivity that web apps provide can allow a user to manage their account with the organization and take advantage of other valuable functionality online.
However, this same level of convenience and functionality make web applications a common target for hackers. Web apps are publicly accessible to users and often have direct access to repositories of sensitive data, including the account information of the organization’s clients. If a hacker manages to compromise the application and gain access to this data, they can sell it for a good price on the black market.
The most common threats that an organization’s web apps can face are recorded in the OWASP top 10 list. The Open Web Application Security Project (OWASP) is a non-profit organization devoted to improving the state of web application security through education. Their Top 10 list of web application vulnerabilities is one of their most famous products and is geared toward educating developers and security teams about the most common vulnerabilities that may exist in their websites.
One of the most significant vulnerabilities on the OWASP list is the cross-site scripting vulnerability. This vulnerability can be extremely dangerous for the users of a web application and needs to be detected and removed as quickly as possible.
The Cross-Site Scripting Threat
Cross-site scripting (XSS) vulnerabilities are often given less attention than they deserve. In the modern world of data breaches, organizations are much more focused on detecting and remediating vulnerabilities that are likely to lead to a large-scale data breach. Since XSS vulnerabilities typically don’t fit this description, they’re often considered “less important”.
However, XSS vulnerabilities continue to be the most common vulnerability in web applications. HackerOne, a crowdsourced bug bounty program, has the ability to collect statistics about the vulnerabilities detected across all of its significant client base. According to HackerOne, $8 million of the $55 million paid in bounties by HackerOne clients was for XSS vulnerabilities. Since these vulnerabilities are typically undervalued compared to other “high impact” vulnerabilities, the actual proportion of XSS vulnerabilities in existence is likely much higher.
What is Cross-Site Scripting?
Cross-site scripting vulnerabilities are created when an attacker is able to inject malicious scripts into a website. A script is executable code that is run in a browser as part of viewing a website. Any animations and most interactivity of websites is created by legitimate scripts. However, malicious scripts can steal data and perform other actions.
There are several different types of XSS vulnerabilities, and the main difference is how the attacker gets the browser to interpret the malicious input that they have provided as a script that should be run in the browser. Typically, this is accomplished when a website prints a user-supplied value (like the user’s name) on the page without ensuring that it is actually a name. If an attacker inserts script code instead of a name, then their code may run in the browser.
However, causing the browser to run malicious code is only useful if an attacker can get it to happen in someone else’s browser. This is where the different types of XSS vulnerabilities come in. The attacker may send a user a malicious link including content that will be interpreted as a malicious script on-page or embed their malicious script in a comment on the webpage.
Regardless of the means used to put them on the page, malicious scripts can be dangerous to the user. The British Airways attack that caused a record GDPR fine involved the injection of a malicious script into a BA payment portal that stole payment card information from people as they booked their flights.
Discontinuing XSS Auditor
In 2010, the threat of XSS vulnerabilities led Google to add built-in protection to Chrome. The XSS Auditor was designed to scan a website’s source code and identify anything that looks like the type of script that an attacker would try to embed into a webpage as part of an XSS attack.
However, Google has decided to remove XSS Auditor from Chrome. While it was initially a huge selling point for the browser, a number of bypasses for its protections have been discovered, and attempts to fix these vulnerabilities have created other issues. It will be removed from Chrome in a future release, and Google is currently working on an alternative that should make some types of XSS attacks difficult or impossible to perform.
Protecting Against XSS Attacks
Cross-site scripting attacks are the most prevalent type of web application vulnerability, but the other members of the OWASP Top Ten list are also common. The sheer number and complexity of web applications and the fact that not all developers are security experts means that these vulnerabilities sneak into the code, making users and organizations vulnerable to attack.
While solutions like XSS Auditor can help with protecting against specific types of attacks, a more general and effective solution is a web application firewall (WAF). At a minimum, WAFs are designed to detect and block attacks listed on the OWASP Top Ten, while more advanced WAFs can block a variety of different attacks as well, including those taking advantage of stolen credentials to impersonate trusted users. Deploying a WAF to protect an organization’s web apps is a logical first step in protecting the business and its users from hackers.