Cross Site Scripting (XSS) and why it needs fixing!
As seasoned penetration testers, it has to be said that the most common issue we come up with when testing public facing web applications, is cross site scripting (XSS). Trying to explain this issue, and it’s implications, to businesses is challenging at times, after all there are a thousand and one other issues that businesses are trying to tackle, and anything in technical language tends to fall by the wayside.
Here’s our description – feel free to share with your boss. 🙂
Cross Site Scripting in Business Language
The design of your web application exposes clients, and potential clients, to fraudulent phishing attacks. Phishing attacks work by sending users “fake emails”, just like the ones that probably fill your personal email Inbox at home. The emails have a specially crafted URL that will take users to your website, but load in a bit of extra, unwanted code, that could easily simulate a login screen or payment page that actually directs user and payment information to another website of the attacker’s choosing.
The effectiveness of these attacks depend on the quality, timing and relevance of the phishing emails that are sent. If they are full of spelling mistakes and broken graphics, then it’s unlikely a user will open them, but if an attacker decides to take time and craft an email that is identical to the kind of communications you might send out yourselves, for example a monthly billing statement, then the chances these emails get opened increases.
The fix is to modify your web application so it refuses to load in these extra bits of unwanted code and keeps users safe. Spend some time with your development team and ensure that any web application input is correctly validated. If we’ve found this issue in one web page, it’s likely that many other web pages are also affected, so ensure this review is holistic and covers ALL areas of input, even those supported by third party libraries.
Hopefully that sounds a lot better in a report than just posting up a code snippet. Proof of concepts are pretty easy to setup to demonstrate XSS too, which can help, but relating this issue to an issue that business owners are familiar with (i.e. dodgy emails) has been far more effective in our experience and helps hugely to bridge the gap.