Why cross-site scripting still matters

As we go into 2024, many organizations are looking at their cybersecurity programs and considering how to allocate their application security testing resources. Although making sure that you’re allocating testing resources to OWASP top 10 vulnerabilities like cross-site scripting (XSS) may not feel innovative, it’s one of the best ways to ensure your organization’s security posture.

According to Forrester's "The State of Application Security: 2022" report, web application exploits remain the third-most-common cybersecurity threat. Of the 4,000+ tests the Synopsys Application Security Testing Services team conducted for its annual “Software Vulnerability Snapshot” report, 83% uncovered some form of vulnerability in the target applications.

According to the data, analyzed by Synopsys Cybersecurity Research Center (CyRC), 27% of the tests found high-severity vulnerabilities, and 6.2% revealed critical-severity vulnerabilities. Vulnerabilities allowing XSS have consistently been the #1 or #2 high-risk vulnerability found in all three years of Synopsys testing. Of the high-risk vulnerabilities found in the 2022 tests, 19% were found to be associated with cross-site scripting attacks.

So, what are XSS vulnerabilities and how can effective application security testing help your organization detect and mitigate them?

Cross-site scripting

Cross-site scripting vulnerabilities are one of the most common online application security concerns, in part because they are easy to introduce but hard to discover and fix. This means there’s always the danger that they’ll get into production code.

XSS attacks work by inserting malicious code into trustworthy websites. When the webpage is loaded, the malicious code is executed in the user's browser, allowing the attacker to steal sensitive information such as passwords and cookies, or perform other malicious actions. These attacks can be successfully conducted everywhere a web application incorporates user input without verifying or encoding it into the output it produces.

In some instances, an XSS attack causes the victim's account to be totally compromised. Users can be duped into entering their credentials on a false form, which gives the attacker access to all the data.

The three kinds of XSS attacks

There are three main types of XSS attacks.

• Stored XSS attacks: These occur when the injected script is kept on the target servers indefinitely, such as in a database, message board, visitor log, comment field, etc. When the victim makes a request for the stored data, the server returns the malicious script.
• Reflected XSS attacks: These are sent to targets through a channel like an email message or website. When a user is tricked into clicking a malicious link, submitting a specially crafted form, or even just browsing a malicious site, the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. And because the code came from a "trusted" server, the browser runs it.
• DOM-based XSS: This occurs when the attacker's payload is stored on the server and reflected back to the victim by the back-end application. In feedback forms, an attacker can submit a malicious payload that will be executed when the back-end user or admin opens the form.

How to prevent XSS vulnerabilities

By following secure development best practices and integrating security throughout all phases of application development, you can safeguard your organizational security. This includes putting security measures in place early in the secure development life cycle (SLDC). For instance, threat modeling and architecture risk analysis should be undertaken during the software design phase and should take XSS vulnerabilities into account. Other methods of preventing XSS attacks include

• Never trust user input. Always perform input validation and sanitization on input originating from untrusted sources as soon as you receive it. To provide comprehensive coverage, both inbound and outbound input handling should be considered.
• Implement output encoding, prior to writing user-controllable data. Output encoding escapes user input and ensures that the browser interprets it as benign data and not as code.
• Follow the defense in depth principle This strategy utilizes a variety of security controls to ensure the safety of your most valuable assets. Multiple walls of defense (controls) ensure that even if one wall is breached there are others in place for protection from malicious attacks.
• Ensure that web application development aligns with OWASP’s XSS Prevention Cheat Sheet. This is essentially a list of tried and tested techniques to prevent XSS. OWASP advises the use of the appropriate combination of techniques as an XSS defense mechanism that can be customized for your unique application.
• After remediation, perform penetration testing to confirm it was successful. A seasoned penetration tester has the skills to implement the right real-world attack scenarios to ensure that your high risk XSS vulnerabilities are indeed fortified. Use OWASP's XSS Prevention Cheat Sheet during web application development.