In this article, we will talk about security testing by using such an example of a vulnerability as XSS injections.
Security testing: XSS-injections
Basic concepts
Security testing is a procedure that helps to determine how well the software is protected from various attacks. This testing aims to detect vulnerabilities in the product and evaluate the level of data and system protection against various attacks. Security testing checks how the built-in security mechanisms will react to attack attempts. Still, even after a full testing cycle, there is no guarantee that the product is protected from attacks. All you can be sure of is that the number of unauthorized infiltration, information theft, and data losses will be significantly lower.
XSS (Cross-Site Scripting) is one of the most common types of attacks on a web system, that is, by far the most common type of vulnerability. During such an attack, attackers inject malicious code (script) that interacts with their web server into a website page. The code will be executed once the user visits the page.
Surely many people have encountered XSS vulnerabilities on different websites. This happens when users open a pop-up site with information that is not related to the requested site, in other words, an advertisement that damages the site's reputation.
Applications are vulnerable to XSS if they do not validate or transform data before adding it to the page. In addition, the page can be updated through the browser API based on data provided by the user and that contains HTML or JavaScript code. With the help of XSS, different scripts can be executed in the browser to intercept user sessions, spoof website pages, or redirect users to malicious websites. The developer might trust users too much when entering malicious information on the page, which also makes the website vulnerable to attacks.
XSS is classified into the following types based on the attack vector:
Reflected
It is the most common type of XSS attack on websites. This type of attack is performed by adding a script to the website URL. As the data is not validated, the script will be screened by the user's browser.
How does it work?
Attackers detect a vulnerability on a website. This vulnerability shows the required message after adding a certain script to the website URL, triggering the vulnerability. After that, they send this link to an inexperienced user through email or messenger.
The vulnerability implies that the GET parameter of the URL is not filtered both during the script transmission and before it is used in the output. Such vulnerability belongs to incorrect input and output data processing classes. It is the most common type of vulnerability that leads to most known attacks.
Stored
This type of XSS attack is more dangerous than displayed XSS. In this type of attack, attackers not only add a script to the URL, but also save the code (script) to the server. This way, the code will be executed in the browser every time the user visits the page. A simple example of such a vulnerability is forums since they allow users to leave comments in HTML format without restrictions.
How does it work?
An attacker has identified a vulnerability in a chat room on a website that will show the required message every time the user goes to the chat page. This vulnerability will be repeated until the administrator fixes it.
The XSS vulnerability happens when incorrect filtering is performed when saving incoming data to the database on the server or when writing data to files, after which these data are displayed in the user's browser.
Document Object Model (DOM)
DOM (Document Object Model) is a program interface that does not depend on platform and language. It allows programs and scripts to access the content of HTML, XHTML, and XML documents, as well as to change the content, structure, and layout of such documents.
Based on the DOM definition, the main goal of DOM XSS is to make changes to the object model of the attacked website through the execution of malicious JavaScript code in the context of the attacked website.
Main attack directions of the DOM model:
- changing the site pages;
- performing actions on behalf of the user;
- stealing cookies;
- keylogger (software or hardware device designed to intercept data entered from the keyboard);
- scanning the internal network.
Protection methods
To protect against attacks, following certain rules during the program development process is necessary. You should not trust data provided by the user or any third-party source. It is necessary to separate unverified data from the browser's active content. This can be done in different ways:
- use frameworks that provide automatic data conversion. Analyze the limitations of XSS protection of each framework and provide appropriate processing of these exceptions;
- transform unverified data from HTTP requests based on the context in HTML code (body, attributes, JavaScript, CSS, or URL) to prevent reflected XSS and execution of stored XSS;
- apply contextual encoding when changing the document in the browser to prevent DOM-based XSS attacks;
- replace or complement coding with validation if it is impossible or impractical in some situations.
To sum up, XSS is a type of web application vulnerability that allows an attacker to inject their script into web pages that are viewed by other users. To protect a resource, it is necessary to follow the basic principles of resource security and evaluate the system for deficiencies in its security from the attacker's perspective.
