By Chris David and Franklin Aguilar
Imagine you’re developing a web site. You want some basic functionality, including menus, popups, buttons and forms. Crack your knuckles and sit down at the keyboard. You’ll start with writing thousands of lines of code and stylesheets and HTML. Then move on to testing and debugging. OR… You can decide to skip reinventing the wheel. You can reuse the work that others have done and go right to the design phase. Welcome the wonderful world of scripting.
At the most basic level, a script file is a text-format document with instructions written out by a developer or team of developers. For example, a script can provide common functionality, the automation of frequent tasks, control behaviors and events and even control other applications. A script is a reusable list of commands that can be executed for different purposes.
The inclusion of scripts on your web site grants you a lot of functionality in return for very little effort on your part. But there’s a dark side to this easy functionality.
What are cross-site scripts?
For any given web site, your web browser will only run scripts that are referenced by the loaded page. And all pages and scripts loaded from the same site share the same permissions. This is known as the same-origin policy. But what if a malicious actor could trick a web server into sending their own scripts?
Simply put, a cross-site script (XSS) is a type of injection vulnerability, where a hacker devises a way to have a target web server send their own code.
Cross-site scripts take advantage of the same-origin policy. Since all scripts loaded from the same site share the same permissions, your web browser has no idea that a malicious script should not be trusted. A malicious script can steal any information you enter on the target web site, including login credentials, credit card numbers, personal information and more.
How about an example?
Let’s say you run a web site for your small business… On your site, you allow users to create accounts and enter information for their orders and deliveries. A hacker realizes that your site contains a vulnerability, where the delivery address field is not properly sanitized. The hacker enters a malicious script into the delivery address field.
When you log in to the your site to review upcoming orders and deliveries, the script runs in the background and steals your authentication information, sending it to the hacker. Now the hacker can log in as you and take control of your site.
What can you do to prevent cross-site scripting on your web site?
The process of Escaping means putting extra characters around possible executable code received via forms and application inputs. This is the most basic mitigation technique, but not the safest, as the executable code can be “unescaped” accidentally or on purpose, to run on a target web site.
Validation assumes that all data coming from outside the system is malicious and should not be trusted. This includes query strings, cookies, headers, requests, form fields and data from any other systems. All data must be validated before having access to your database.
Sanitization of all inputs is the safest defense against malicious inputs. This process strips out any and all possibly-executable scripts and instructions from application inputs.
Cross-site scripting accounted for 40 percent of all web site vulnerabilities in 2019. An XSS attack is a hacker’s favorite choice. And this class of vulnerability puts your customers’ information at risk and your business on the line.
Hardening your web site against cross-site scripting and other injection vulnerabilities is a daunting task. Your site might use scripts, plug-ins and code from dozens of sources. Many development frameworks and platforms provide built-in ways to mitigate against injection and XSS. But you still have to understand how to use these tools correctly.
So make sure you understand the possible cyber attacks and risks to your business. Hire a competent web developer to handle the work, and have a computer security specialist review your site periodically.