|Join hundreds of InfoSec professionals at our upcoming |
[Global AppSec Amsterdam, September 23-27]
Top 10-2017 A7-Cross-Site Scripting (XSS)
|Threat Agents / Attack Vectors||Security Weakness||Impacts|
|App Specific||Exploitability: 3
|Automated tools can detect and exploit all three forms of XSS, and there are freely available exploitation frameworks.||
XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications.
Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET.
|The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.|
There are three forms of XSS, usually targeting users' browsers:
Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks.
Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by:
Scenario #1: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
The attacker modifies the ‘CC’ parameter in the browser to:
This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
Note: Attackers can use XSS to defeat any automated Cross-Site Request Forgery (CSRF) defense the application might employ.