T 5.170 Cross-Site Scripting (XSS)

Cross-Site Scripting attacks (XSS attacks) are directed against the user of a web application and their clients. Here, an attacker tries to send malicious code (usually scripts such as JavaScript that can be run on the browser side) indirectly to the client of the user of the web application.

If the input and output data of a web application are not validated adequately, then an attacker can smuggle in malicious code into the web application (e.g. within a comment to an item) and so spread it. If an infected website is called up by the user, the client (for example, browser) executes the inserted malicious code. From the user's perspective, the malicious code comes from the web application and is thus classified as trustworthy. Therefore, the malicious code is interpreted within the security context of the web application and the attacker is able to execute commands within the context of a possibly existing session of the affected user.

There are three classes of XXS attacks:

• persistent (permanent)
• reflected (non-persistent)
• DOM-based (local).

The following examples illustrate the differences between the attack classes:

• An attacker is able to leave an entry in a guest book containing JavaScript code. If the user calls up the corresponding guest book entry, the script is transmitted and executed by the browser. The script is executed within the security context of the web application and thus has access to the user's SessionID stored on the client side in the cookie if this session cookie was set (incorrectly) without HttpOnly flag. This information is communicated from the script to the attacker who can use the SessionID and thus take over the session of an authenticated user. Since the JavaScript code is only interpreted by the browser and not displayed, it is very difficult for the user to notice this process. This attack is a persistent XSS attack, as the malicious code is stored in the guest book entry and thus permanently in the web application.

• An attacker prepares the GET parameter of an URL so that it contains this JavaScript code. As the web application uses the parameter used without checking it for the preparation of the website, the JavaScript code smuggled in is transmitted to the client and executed by the browser within the security context of the web application. If the attacker is able to spread out such a prepared link in this manner (for example, by email) and if a user who is logged in clicks on this link, then the malicious script is executed in the user's browser. Such a XSS attack is referred to as reflected or non-persistent attack, as the malicious code is not stored permanently, but is directly sent back by the web application after the entry has been made.

• JavaScript-Code processes parameters from the URL (e.g. http://host.tld/param="contents") on a website and integrates them into the website so that they can be displayed. Thus, manipulating the parameters makes it possible to integrate any contents into the website. If the website with the malicious JavaScript code in the parameter is called up, this code is integrated into the website and executed by the browser. Contrary to the previous types of attacks, the malicious code is not inserted into the website by the web application, but only locally by the browser using the JavaScript processing of the URL parameters on the client side. In this case, the malicious code can manipulate the Document Object Model (DOM) environment and, in addition to this, change the website structure and contents.