What is Cross-Site Scripting (XSS)? Risks and Specific Countermeasures
Web utilization by companies is being actively promoted domestically, but one thing to be aware of is cyber attacks targeting websites. Cross-site scripting (XSS) is an increasing attack method targeting website vulnerabilities, and sufficient countermeasures are required.
This article explains specific methods of cross-site scripting, the risks posed by attacks, and effective countermeasures.
Table of Contents
- What is Cross-Site Scripting?
- How Cross-Site Scripting Works
- Differences from SQL Injection
- Types of Cross-Site Scripting
- Risks of Cross-Site Scripting Attacks
- Website Tampering
- Session Hijacking
- Personal Information Leakage
- Countermeasures to Prevent Cross-Site Scripting
- Perform Validation Processing
- Apply Sanitization
- Install a WAF
- Restrict Inputtable Links
- Summary
1. What is Cross-Site Scripting?
Cross-site scripting is a type of cyber attack targeting websites. By exploiting vulnerabilities in a website, a third party can illicitly embed a script into the website, prompting users who visit the site to access another site.
Even if the attacker cannot directly modify the target website, their objective can be achieved by redirecting visitors to a malicious site, resulting in significant indirect damage even if the site administrator suffers no direct harm.
2. How Cross-Site Scripting Works
In executing cross-site scripting, dynamic features on the site, such as inquiry forms and bulletin boards, are targeted.
If a script is written in a form that allows free description, it will be executed freely, allowing the site’s transitions to be controlled freely.
3. Differences from SQL Injection
SQL injection is a similar attack method to cross-site scripting. Like cross-site scripting, SQL injection attacks websites, but it targets the site’s database.
By exploiting membership registration or login forms and injecting malicious SQL syntax, it causes serious harm such as unauthorized data access and information leakage.
4. Types of Cross-Site Scripting
Cross-site scripting can be broadly divided into three types:
- Non-Persistent/Reflected XSS
- Stored/Persistent XSS
- DOM Based XSS
Reflected XSS involves embedding a malicious script in a link and redirecting users to a site with questionable reliability, prompting unauthorized access or malware installation.
Stored/Persistent XSS involves an attacker directly injecting a malicious script into a web application. Therefore, every time the attacked page is opened, the malicious script runs, automatically redirecting to malicious sites, making it an unpleasant and highly dangerous attack method.
It does not require redirecting users via links, making it a convenient method for attackers.
DOM Based XSS is a method that attacks vulnerabilities in JavaScript on the web. Since it is a script that runs on the visitor’s web browser rather than a script that runs on the server side, different countermeasures are required compared to other methods.
All cross-site scripting methods are dangerous, and flexible prevention measures should be considered.
5. Risks of Cross-Site Scripting Attacks
By being subjected to cross-site scripting attacks, website operators need to be prepared for the following risks:
5-1. Website Tampering
Cross-site scripting is a cyber attack method that allows attackers to rewrite web pages. Even a seemingly healthy corporate website can be exploited if it has vulnerabilities, allowing attackers to insert malicious programs and harm visitors.
Because the basic functions and design remain the same, the victims of the attack may not initially understand why or where they were harmed.
5-2. Session Hijacking
Session hijacking involves illegally obtaining an administrator’s ID or Cookie and granting undue administrative privileges. If session hijacking occurs, there is a risk of information leakage or data modification of information stored within the web site’s server, or unauthorized withdrawals, and in such cases, you must be prepared for enormous damage.
5-3. Personal Information Leakage
If free access to the server is allowed, the leakage of personal information of employees and customers is highly likely. The leakage of customer information, rather than just internal company information, will result in the loss of trust from existing customers and make it difficult to acquire new customers, putting the business itself at risk.
To avoid such situations, it is necessary to implement thorough countermeasures in advance to prevent damage or minimize it.
6. Countermeasures to Prevent Cross-Site Scripting
To prepare for cross-site scripting, it is important to implement correct countermeasures in advance. Specific countermeasures are as follows:
6-1. Perform Validation Processing
Validation processing adds restrictions to the alphanumeric characters and other characters that can be entered. By refusing the input of characters other than numbers in the phone number input field, or by limiting the number of characters entered in the password field, you can avoid the input of malicious scripts.
6-2. Apply Sanitization
Sanitization is a process that converts characters such as “<" or """ that occur when entering a script into a form into meaningless strings.
By preventing these characters from being entered as they are, you can prevent the string from being recognized as a script, preventing cross-site scripting.
6-3. Install a WAF
WAF stands for “Web Application Firewall” and is essentially a firewall for websites. It automatically detects attacks targeting web applications and automatically eliminates suspicious patterns.
6-4. Restrict Inputtable Links
To avoid transitions to suspicious links, it is also important to restrict only URLs starting with “http” or “https” to be entered as links.
Malicious attackers may secretly insert transitions composed of URLs other than these, limiting it to the above URLs, which are highly reliable and less likely to be accidentally transitioned to, avoids unnecessary increases in risk.
Summary
Cross-site scripting is a malicious attack method that targets vulnerabilities in websites, sometimes causing enormous damage to operators and users.
The risks of cross-site scripting are something to be aware of in recent years, as the number of websites being launched is increasing, and thorough countermeasures must be implemented in advance.
Once a cyber attack has been received, it takes a lot of time to cover the damage and restore the company’s trust lost due to the attack. Understand the countermeasures well in advance and strive to avoid risks.
If you have any questions, please contact globalsupport@jiran.com.
