Hello Everyone, Welcome to my blog 🙏.
I hope you are all safe and that this blog finds you in good health ❤️.
Intro
Security is essential to any website and plays a prominent role.
For example,
An E-commerce website sells products at reasonable prices. But, if it fails to provide security, then I think no customer is ready to use the website. It is not about E-commerce websites, but if we consider Banking applications, where financial elements are involved, then the obvious thing that comes to every customer’s mind is whether the site is safe and secure.
Any site that consumes inputs like User details, financial details, etc., demands high-level security.
Thus, security is not an optional thing, but it is mandatory for all websites.
In this blog, we’ll get to know one of the threats to the website that can impact the integrity of any website.
Cross Site Scripting — XSS
Cross Site Scripting is one of the injection attacks where the attacker will inject a dirty(malicious) script (mostly Javascript) into the code. The browser interprets and executes the code.
Impact of XSS
👉 Hijack user session
👉 Deface Websites
👉 Change content
Types of XSS
To understand the types of XSS better, let us take the example of
Shiva’s Story.
💥 The Beginning 🙂
Shiva is a shopkeeper who belongs to a small town and always wants to provide his customers with the best service. As there were hard times due to the Pandemic, he decided to start his services online with door delivery.
Now, he wants a website for his shop where he can sell items. So, he hired a team of developers to create a fabulous website that should display items with a great user experience. The team has fulfilled the requirements for the website and rolled it out to the customers.
💥 The Rise🤩
Shiva is pleased that sales again started. Customers are also delighted with his services. His business started to grow and expand.
💥 The Cruelty of Competitors👹
Competitors are jealous of his success in the business. So, they hired a hacker/attacker to destroy his business.
💥 The Downfall 🙃
Hacker is smart enough to find a few vulnerabilities of XSS in the website and the security headers on which the site got hosted.
Out of them, one is Reflexive XSS
Type 1: Non-Persistent XSS or Reflective XSS
It is performed on the URL where the attacker adds malicious code in the URL and snatches essential data from the victim(User).
Now, How did the attacker find that the site has Reflective XSS? 🤔
Simple, he started to search items from the site and was able to notice that on every search, the URL changed with his input.
So, he started inserting some scripts in the URL and encode it in the non-human readable format and succeeded in doing it.
What is the attacker’s next move here 🤔?
He starts to share URLs to the users and shiva through emails like heavy discounts to attract the customers and gets some important information from them like Auth tokens, Billing info, and Admin access from Shiva.
There were reports of stolen auth tokens and payment details from the customers and shiva himself that had impacted the business that resulted in the loss of faith and trust.
But hold on ✋,
Here, he sent emails to customers and Shiva to get their access tokens, but what if they did not open the emails,
then how else he can get their access tokens?
How 🤔?
then comes,
Type 2: Persistent (or) Stored XSS
The attacker adds malicious scripts on pages that are common for all the users. These scripts get executed when the user loads the page. On the other hand, the attacker collects the information like access tokens.
So, the attacker started to add some malicious scripts on the product pages where there are Input fields like text, etc.
For Example: Generally, product pages have a reviews section where the user enters reviews and experiences of the products. So he targets those fields and adds his malicious code.
This code gets executed whenever the user loads the page. On the other side, the attacker collects the auth tokens and further important information and uses them to destroy the integrity of the application.
Type 3: DOM-based XSS
It is similar to Reflected XSS, where the attacker, instead of modifying the URL, will modify DOM elements that fail the existing Javascript Code of the website.
After seeing this vulnerability on his website, he decided to stop online services and continue his offline services.
💥 The Retrospection 🧐
Shiva and his team invested their time in security aspects and found that their site has XSS Vulnerabilities. Some of the points which were missing on their site are listed below:
1. User Input
👉 Consider all the Inputs as a threat and validate them.
👉 Escape all special characters which are related to HTML.
2. Validate and Sanitize the data
3. Encode HTML output
4. Use the Right response headers
5. Use Content Security Policies(CSP)
(I will present CSP in another blog, please stay tuned.)
The team has accommodated changes in their site to overcome XSS vulnerability and restarted Shiva’s online services.
💥 The Rise Again 😎
Shiva started his online services with improved security. He also deployed a team to keep track of any risks in the future. Customers again started to use his website to purchase items.
Never giving up, determination, and Security are key things which made Shiva’s business take off successfully.
Finally, A Happy ending…