Cross-site Scripting

The first thing we need here is an understanding of cookies. If you haven’t read that definition, have a look now.

The other thing we need is an understanding of what dynamic versus static pages are on a website.  Static website pages don’t change and are just ‘brochureware’ if you like. Dynamic pages are those that provide you with functionality, personalisation, interactivity and all the wonderful things we expect from web applications and online services today. To generate a page dynamically or ‘on the fly’ a new page is needed. To create this page, you provide information and the website takes this information and places it in the new page it is generating.

For example, let’s say you sign up for a Cloud Service Provider’s product. As you fill out the form you may go away for a couple of days and come back to the website to find the page has kept the stage you are up to and the information in it; or, you get alerts that still include the information you have provided but it has shown where fields still need to be filled out; or, you have now filled out the entire form and clicked ’submit’, and it has come back saying “Sorry www.wronginput.com is unavailable or produced an error; or,  “Welcome <yourname>. Thanks for purchasing ‘YourCloud Service Provider’s Product’. Your receipt number is ‘abcdefg12345’”. It could also be that you are served advertisements within the webpage, which may be dynamically generated based on your recorded interests and browsing activity or products you have purchased.

All of these above are examples dynamically generated pages, which may also use cookies as is the case with the stored information in the form, and advertisements. That is, they are pages that include your information along with the website’s information to create a new page ‘on the fly’ – or, as termed in the industry – dynamically. These pages can be vulnerable to cross site scripting.

A reminder here too that when you click on a URL, it is an instruction to the website to download its content to your device. That is, all content including malicious content will download (see Driveby).

They are not, however, the only ones. Attackers could also simply place malicious commands in URLs  (‘Links’) and place them in forums, phishing emails and banner ads.

OK .. so with that background – how does Cross-site scripting or XSS work?

The issue arises because a new URL is generated to hold the content of the newly generated webpage. If this process isn’t tightly controlled by your developers it may allow ‘commands’ to be inserted (‘injected’) into that new URL that may not be intended. The problem arises when the generation process does not know the difference between what information is allowed to be included in that URL and information that is not. Combined with an insecure browser on your machine this could allow information to be stolen from your cookie, information to be put into your cookie, malware to be downloaded from the generated webpage and then code injected into your ‘shell’ and start taking over your machine and network.

Ask your developers what they are doing about cross site scripting. You want to hear that they use good data hygiene and validate and encode URLs. A vulnerability scanning tool will likely pick up ‘XSS holes’ – that is, places a XSS attack could be set up.

If you run forums and take in banner ads or third party advertising, ask if third parties are also being checked for XSS vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *