What is Cross-Site Scripting (XSS)? Attack damage and countermeasures

• 1. What is Cross-Site Scripting (XSS)?
• 2. Types of cross-site scripting (XSS) and attack flow
• 3. Examples of cross-site scripting (XSS) damage
• 4. Cases of actual damage
• 5. Cross-site scripting (XSS) measures
• 6. Find a system development company that is strong in security measures!

What is Cross-Site Scripting (XSS)?

Cross-site scripting is an attack method that exploits vulnerabilities in web applications.

For example, the input form of a dynamic website such as an Internet bulletin board or blog contains a script (which enables a program written in a programming language to be executed immediately) that leads to a vulnerable website. Set up a link. When the user clicks on the installed link and is directed to the site, the script that was set up is executed, and the information registered by the user in the input form is leaked to the attacker or causes malware infection. It causes damage such as scripting.

According to the “Notification Status of Vulnerability-Related Information on Software, etc .: Second Quarter 2021 (April-June)” published by IPA (Information-technology Promotion Agency, Japan), the reported vulnerabilities Of these, about 58% of the total accounted for cross-site springs. Since it is an attack method that causes so much damage, it is important to understand cross-site scripting and take countermeasures. To understand cross-site scripting, let’s check more specific types, attack methods, and countermeasures.

Types of cross-site scripting (XSS) and attack flow

There are three main types of cross-site scripting: “Reflected XSS”, “Stored / Persistent XSS”, and “DOM Based”.

● Reflected XSS (Reflected type)

A typical attack pattern of Reflected XSS is to provide a link containing a malicious script to a fake email or a fake site and make the user request a vulnerable website. It executes malicious scripts in the user’s browser to steal information and infect malware. “Reflected XSS” is called “Reflected XSS” because the script changes it to what you request.

● Stored / Persistent XSS (stored / stored / persistent)

A typical Stored / Persistent XSS attack pattern is to store the script directly in the web application and execute the malicious script every time the user browses the page. As a result, user information may be stolen or malware infections may occur. It differs from Reflected XSS in that there is no need to prepare a website with a trap, and the attack is more efficient.

● DOM Based XSS

DOM stands for “Document Object Model”. It mainly exploits a code vulnerability in JavaScript that runs in a web browser to execute a malicious script on the web browser, causing information theft of the user and malware infection. The feature of DOM Based XSS is that the attack can be established only by the processing on the client-side.

Examples of cross-site scripting (XSS) damage

The main damages of cross-site scripting are as follows.

• Session hijacking
• Leakage of personal information
• Display fake information on legitimate sites

● Session hijacking

Section hijacking is a server attack that obtains the ID, password, and cookie (information stored in the browser on your PC or smartphone) used on the website in some form and hijacks it on your behalf. That is.

If a section hijacking is done, an attacker can break into the server and impersonate a legitimate user to steal confidential information or make an illegal withdrawal from an online bank. In addition, it may lead to serious damage such as leakage of registration information, falsification, and unauthorized use of credit cards.

● Leakage of personal information

There are many cases where personal information is leaked by being attacked by cross-site scripting. Names, addresses, phone numbers, credit information, etc. obtained by the attack are bought and sold on dark websites (websites where transactions of highly illegal information and goods are often found) and are listed on the information list. It leads to. Based on the information list, another attacker may target the list attack and make a large amount of money request for extortion of personal information.

● Display fake information on legitimate websites

Cross-site scripting allows you to display false information on some legitimate sites based on website vulnerabilities. In this case, since the website itself is legitimate, there is also damage such as being attacked without the user or administrator noticing and the personal information being extracted. Continued disinformation can be confusing and damaging and can be a breeding ground for phishing scams.

Cases of actual damage

Examples of cross-site scripting attacks include:

• YouTube case
• An example of the official Twitter application
• Examples of publishers’ official websites
• Example of EC site construction system

● YouTube case

In 2010, a cross-site scripting attack targeting YouTube, a large-scale video sharing site, occurred.

A cross-site scripting vulnerability in YouTube’s comment system has been exploited to prevent comments from being displayed, pop-up hoax information, and redirect to malicious websites (automatically another new page). Damage such as being transferred to) has spread. Google took action about two hours after the attack occurred, but the impact of the damage seems to have been great.

● Examples of official Twitter applications

In 2010, a site scripting attack occurred that exploited a vulnerability in Twitter’s official client application “Tweet Deck”. TweetDeck is an application that makes Twitter easier to use by making multiple timelines an interface that is easy for users to see. I attacked this Tweet Deck and hijacked the user’s account remotely. This has spread the damage of posting a large number of nonsensical retweets. It has been announced that this cross-site scripting attack has affected up to 500,000 people.

● Examples of publishers’ official websites

In 2014, a cross-site scripting attack occurred on the official site of KADOKAWA, a major publisher.

Since it is an official site of a major company, we have taken measures with a high-security level. However, some sites have low-security levels for operational reasons, and the security was breached from there, causing damage such as the top page being tampered with by a cross-site scripting attack.

The tampered top page contains Trojan horses (software that threatens the safety of computers called malware), and there is a risk that cookie information and personal information will be leaked if the viewer is infected. Fortunately, it was announced that it did not cause much damage.

● Examples of major EC site construction systems

In 2021, a cross-site scripting attack occurred on a product in the major EC site construction system “EC-CUBE”.

On an EC site created with the corresponding product, an attacker could enter a script in a specific input field to execute an arbitrary script, resulting in unauthorized access or theft of personal information. It has been announced that credit card information was leaked due to a cross-site scripting attack.

Regarding EC-CUBE, we have already released an emergency patch (data for updating a part of the program to fix bugs and change functions) and have already dealt with it, but such damage is endless. Is the current situation.

Cross-site scripting (XSS) measures

There are three methods for cross-site scripting countermeasures: “sanitizing”, “input value restriction”, and “WAF protection”.

• Sanitizing
• Input value limit
• WAF defense

● Detect and invalidate harmful characters/strings with “sanitizing”

Sanitizing is the process of replacing a character that is meaningful as an HTML tag with another character string (escape process).

For example, in an HTML tag, the string “<” or “>” is recognized by the browser as part of the tag. By sanitizing this, you can replace it with a simple string that has no special meaning.

“<” And “>” are symbols often used in HTML tags and programming. By sanitizing these symbols, they can be replaced with strings that can only be displayed in a web browser. Therefore, even if an attacker tries to embed a script by rewriting a character that is recognized as a program such as “<” or “>”, the sanitizing process becomes a simple character string and the attack can be invalidated.

Proper sanitization can also detect harmful characters and strings, further avoiding cross-site scripting attacks.

● Limit input values

Limiting the input value of the input format is also a countermeasure against cross-site scripting.

For example, in the input fields such as telephone number and zip code, you can prevent the script from being inserted by not allowing input other than numbers. It is also possible to control the insertion of harmful scripts that can be a cross-site scripting attack by limiting the length of the input character of the input value.

It is recommended to limit the input values ​​such as input format and inquiry form to avoid attacks.

● Take measures with “WAF defense”

WAF is an abbreviation of “Web Application Firewall” and is a firewall dedicated to Web applications. By setting the WAF, the communication content of the web application is checked, and if suspicious content is detected, it is blocked. WAF is one of the security measures to protect against attacks that exploit vulnerabilities when the web application cannot be directly managed or modified.

Find a system development company that is strong in security measures

Cross-site scripting causes various damages such as theft of a user’s personal information and the destruction of files on a computer just by browsing a website. To protect information from such damage, it is important to think about and respond to security measures from the initial stages of system development and website development.

Due to technological advances in IT, security has become an indispensable element in system development and all scenes.

Since there is a possibility of causing great damage by being attacked from the outside, let’s find and consult a company that can be trusted not only in terms of system development technology but also in terms of security measures.

If you ever want to know about similar things, check out the Facebook page Maga Techs