In the cyber security world, there are a number of vulnerabilities to be aware of. Today we’re going to look at a specific one; Stored Cross-Site Scripting (XSS).
Let’s start off by answering; what is cross-site scripting?
An XSS attack is a type of injection that sends data through trusted sources, like web requests. This happens when an attacker uses an existing web application to send data to the end users, which results in the user receiving malicious scripts without any way of knowing that the script contained within is untrusted.
Compared to ‘Reflective XSS’, ‘Stored XSS’ is the more devastating type of cross-site scripting flaw. Stored XSS allows potential attackers to inject client-side scripts directly onto target servers. This is not just a single user issue, however, it affects everyone who has access to these servers. Once attackers find a vulnerability in the web application, they can inject their script and wait for an unsuspecting target to fall into their trap. Sites that allow their users to share content (like blogs or social networking sites) are often the most targeted. The injected script is permanently stored on the now infected servers and allows the attacker to set their targets up to receive the malicious script from the servers when they make a request.
Let’s give an example of a stored XSS attack:
Jessica is a blogger with a rival. Her rival has a virtual guestbook on their site so the readers can leave comments. The blog’s owner thinks this is a really nifty feature but they might be unaware of the risks to themselves or their readers. Since this is Jessica’s rival and she really wants to hurt them, she decides to try out something she learned recently; XSS attacks.
To do this, Jessica would use her script instead of leaving an actual message for the blogger. It could be something like “I really loved your video/message and I wrote a review of it on my own blog (link here)”. Within that link would be the script, and everyone who accesses the page would be vulnerable to Jessica’s attack. Since it’s stored, it’s not going away. An unsuspecting visitor to the attacked blog might never go down to the guestbook, but since they accessed the page they have been targeted as well.
There are a few ways to mitigate or prevent XSS attacks, such as; taking the data an application has received and checking that it’s safe before allowing it to get to the end user, whitelisting and validating input, and sanitizing the the data to be sure that what’s coming through isn’t harmful to the end users.
While prevention is hard, there are options to protect against this type of attack. One good source for preventative measures is the OWASP Cheat Sheet.