Web Browser Security Attacks – Cross Site Scripting (XSS)

26 09 2011

Web browsers are software programs that allow us to access web pages on the Internet. Nowadays we do a lot of tasks online, we access our bank accounts, send emails with private data, we shop etc. We send out a lot of information like out bank account details, personal information. There are attackers out there who can gain access to this information and use it for malicious activities. Attacks are techniques used by attackers to take advantage of and exploit vulnerabilities in an application. One such attack is called Cross Site Scripting (XSS).

XSS is a technique in which an attacker sends a malicious piece of code to a user. It takes advantage of the web application’s vulnerabilities and injects malicious scripts into webpages. When a user visits these webpages, the web browser believes that this script has come from a trusted source and executes it. When this script is executed, the attacker has access to user information in the form of cookies and session information. Using this the attacker can impersonate a legitimate user and gain access to webpages accessible to the user. The attacker may also perform malicious activities on the user’s computer and can access/destroy files.

We might think that an attacker has to break into a web server to inject his malicious code into a webpage. This is not the case. Today most of the content on webpages are dynamic. The attacker could go to a webpage and if it had a section for leaving user comments, he could inject a script in the comment session. Now when any user requests this page, the malicious script in the comment section will run on the browser and gain access to user information.

The attackers could use another approach as well. They find a webpage that they want access to and that has some XSS vulnerabilities. They then generate a customized link to this webpage and send it as an email to a list of potential users. The link in the email will have some HTML elements embedded in them. When a user clicks on this link, it takes the user to that webpage and it will send a copy of the users session to the attacker. Through this the attacker can get access to the webpage.

One way of preventing XSS attack is to use user input validation and strip out all the special characters from the input. Allow only few special characters like hyphens, periods. Another way is to have better validation and checks for cookies. When a cookie is generated, the ip-address of the user should be noted. So if an attacker tries to use the same session, his ip-address will be different and access can be denied. The best way probably is to develop better web applications. Developers should generate web applications that do not need any client side code to run for the webpage to be displayed properly. This will allow users to disable scripting on their browsers.