Imagine sharing confidential information with a trusted source – perhaps a best friend or a family member – and then having them turn around and pass it onto the worst people imaginable. This, at a very high level, is a metaphor for what’s known as a cross-site scripting (also called an XSS) attack.
This web security vulnerability lets attackers compromise whichever interactions a user has on what they believe to be a trusted web application, enabling them to steal sensitive information provided by a victim. It does this through the use of malicious code that’s inserted into a particular website and then executed whenever that site is loaded. This malicious code, which is usually client-side JavaScript, is then utilized to attack the end user. It can be harnessed for a variety of sinister activities – ranging from “keyloggers” (which log the keystrokes made by users to steal confidential information) to hijacking sessions to fraudulently pose as legitimate users.
XSS attacks have been part of the computing landscape for decades. However, they have continued to become more frequent as both the complexity of websites has increased, our reliance on connected infrastructure has made the results of such attacks more damaging, and due to XSS attacks’ ability to circumvent traditional safeguards like standard issue firewalls and antivirus (AV) solutions.
The prevalence of such attacks are a constant reminder of why organizations must avail themselves of the latest protective measures, such as a dedicated web application firewall (WAF).
Increasingly common attacks
XSS attacks are some of the most common cyber attacks seen on the internet. They have affected websites operated by some of the biggest tech companies, showcasing that this is not only a problem that affects the proverbial “little guys” when it comes to cyber security. Broadly speaking, there are three main types of XSS attack:
Stored/Persistent XSS:
In these attacks, malicious script is saved as a permanent part of a web application’s database. That could be as part of a web forum or comment field, for instance.
Reflected/Non-persistent XSS:
In these attacks, bad script is reflected to the user from the web server, with the malicious script being executed as a part of active HTTP requests.
DOM-based XSS:
In these attacks, the vulnerability is part of the client-side code, rather than server-side code. These attacks take place when an application features client-side code that processes data which comes from an untrusted source in a way that is considered unsafe.
The WooCommerce Bug
Due to their frequency, there is unfortunately no shortage of examples of XSS in action. In some cases, the vulnerabilities that allow XSS attacks to occur are never used in actual attacks – but the fact that the vulnerabilities exist nonetheless opens up this possibility. One recent example of a vulnerability which could have affected large numbers of users was the WooCommerce Bug, an XSS vulnerability which affects the Variation Swatches for WooCommerce plugin installed on approximately 80,000 WordPress-powered e-retail websites.
The Variation Swatches plugin lets online retailers on the WordPress platform display multiple versions of a product, such a smartwatch strap that comes in multiple color variations. However, the flaw meant that it was possible for a would-be attacker with low-level permissions (for instance, a customer or subscriber) to successfully inject bad JavaScript code that would then execute upon a site administrator accessing the plugin’s settings area. This could potentially let cyber attackers carry out a range of attacks, possibly even up to the level of site takeovers. The vulnerability, named CVE-2021-42367, was one which affected all users of the Variation Switches plugin until it was patched November 23. However, it nonetheless highlights just how potentially widespread such XSS attacks can be.
Protecting against attacks
Protecting against XSS attacks should be an essential step on the part of any organization. One of the most straightforward ways that businesses can protect themselves is to ensure that they keep properly up-to-date when it comes to the code that runs their organization’s website. This means making sure that plugins and similar are updated, and that regular security assessments are utilized.
This is not always feasible, though. The best, most scalable approach that businesses or other organizations can take when it comes to protecting against XSS attacks is through the use of a web application firewall (WAF). Such web application firewalls use signature-based filtering as a means by which to recognize – and then block – malicious requests and as a way to counter XSS attacks. By inspecting web traffic, they can therefore help to prevent attacks exploiting known vulnerabilities in a web application – whether that’s cross-site scripting, file inclusion, SQL injections, or more.
Laila Azzahra is a professional writer and blogger that loves to write about technology, business, entertainment, science, and health.