XSS Attack

In general, it is usually a safe bet to assume that web applications will be a major target for cybercriminals at any given time. Typically, they are exposed to the public Internet and protect access to extremely sensitive data. As a result, it is not difficult for attackers to access them, and a large number of vulnerabilities in the average web app mean that they have a high probability of success over time.

What does change from year to year and from the list to list is the “most popular” or “most dangerous” vulnerability exploited by cybercriminals? In 2019, cross site scripting (XSS) topped the list as the “most popular” attack of the year.

What is Cross-Site Scripting?

Cross-site scripting attacks are one of many different types of exploits targeting web application code. In recent years, XSS attacks have grown in popularity since they allow cybercriminals to set up second-stage attacks, like web skimmers, on legitimate websites.

XSS attacks take advantage of the HTML standard and the structure of standard webpages. Webpages are composed of three different types of content: HTML, CSS, and scripts. HTML defines the content and structure of a webpage, CSS describes stylistic features, and scripts enable interactivity and animation.

A webpage can be put together in a couple of different ways. The HTML standard allows CSS and script content to be embedded in it if they are appropriately marked with tags (like <style></style> or <script></script>). Alternatively, this content can be placed in separate files referenced from the main HTML page.

The ability to embed scripts or references to them in HTML pages makes cross-site scripting attacks possible. Some websites will modify the HTML code of a page based on user input. For example, a page may display “Hello <First Name> <Last Name>” in a banner at the top of the page or have a comments section where users can leave their review of a product or reactions to a video.

An attacker can take advantage of this by including properly tagged script content within their input. When this input is embedded in the HTML page and the page is later served to a user, the user’s browser will interpret the embedded script as an intentional part of the page and execute it.

The ability to embed malicious scripts on a webpage (or link to an external one) is used for a variety of malicious purposes. The Magecart group became famous for their web skimmer attacks, where malicious scripts embedded in legitimate websites’ payment portals will send user-entered payment card data to an attacker-controlled server. A Magecart attack against British Airways resulted in a record-breaking General Data Protection Regulation (GDPR) fine being levied against the airline.

The “Most Popular” Cyberattack of 2019

According to a recent report, cross-site scripting has been named the “most popular” type of cyberattack in 2019. This title comes from the fact that nearly 40% of all cyberattacks in 2019 were cross-site scripting attacks, and that 75% of organizations were targeted in an XSS attack in 2019.

The prevalence of cross-site scripting attacks in 2019 points to the continued focus on websites as a target for cybercriminals. In many cases, a website is a collection of code exposed to the Internet that provides direct access to extremely sensitive data. Exploits against vulnerabilities in this code, like XSS, enable cybercriminals to access and breach sensitive data, which not only is saleable on the black market but also hurts their target due to penalties incurred under the EU’s GDPR and other similar data privacy laws.

The runners up on this list also indicate a focus on web applications as the target of cyberattacks. Number two was SQL injection attacks, which take advantage of poor input sanitization when building database queries, enabling an attacker to run their own commands on the database. Third place was taken by fuzzing attacks, which involves sending random data to a system in the hope of triggering (and detecting) a bug that could be exploited in an attack.

Protecting Against Cross-Site Scripting Attacks

Organizations’ websites and web applications are a prime target of cybercriminals. Attacks like cross-site scripting are increasingly popular due to their ability to set up the next stage of an attack. For example, web skimmers, like those used by the infamous Magecart Group, require the ability to place malicious code on a legitimate website. The exploitation of a cross-site scripting vulnerability is a common method for accomplishing this.

Cross-site scripting is not a new type of attack against web applications. However, these vulnerabilities continue to exist in the production code, making organizations’ web presence vulnerable to attack. Protecting against XSS attacks, and avoiding the massive fines like the one levied against British Airways for a successful Magecart attack, requires detecting attempted exploitation of these vulnerabilities before they reach a webpage.

Deploying a web application firewall (WAF) is an ideal solution to this issue. A strong WAF is capable of protecting a web application against all of the most common threats (like cross-site scripting and the rest of the OWASP Top Ten list of web application vulnerabilities) as well as novel threats against an organization’s web presence. As attacks against web applications, like web skimmers, become more common and the evolving regulatory landscape makes the impacts of a successful attack more severe, deploying appropriate protections against these types of threats only grows in importance.