A7:2017-Cross-Site Scripting (XSS)
OWASP A7: Cross-Site Scripting (XSS) - Learn about XSS attacks, prevention methods, and real-world attack scenarios. Protect your web applications from session hijacking and malware delivery.
Overview
Cross-Site Scripting (XSS) is the second most prevalent issue in the OWASP Top 10. It refers to the injection of malicious scripts into web pages viewed by other users. XSS attacks can lead to remote code execution, session hijacking, and delivering malware to users.
Description
XSS vulnerabilities occur when unvalidated user input is included in HTML output. There are three forms of XSS: reflected XSS, stored XSS, and DOM XSS. Reflected XSS involves using malicious links to execute arbitrary HTML and JavaScript in the victim's browser. Stored XSS occurs when unsanitized user input is stored and later viewed by other users or administrators. DOM XSS refers to vulnerabilities in JavaScript frameworks and APIs that allow attacker-controlled data to be included in a page. XSS attacks can lead to session stealing, MFA bypass, DOM node replacement, and other client-side attacks.
How to Prevent ?
To prevent XSS, it is important to separate untrusted data from active browser content. This can be done by using frameworks that automatically escape XSS, escaping untrusted data in HTML output, applying context-sensitive encoding, and enabling a Content Security Policy (CSP). OWASP provides various resources, including cheat sheets and testing guides, for preventing XSS attacks.
Example Attack Scenarios:
Scenario #1: Injection of Malicious Script: In this scenario, the application uses untrusted data in the construction of an HTML snippet without validation or escaping. The attacker modifies a parameter to inject a malicious script that steals the victim's session ID. This allows the attacker to hijack the user's current session.