edit-icon download-icon

Cross-site attack

Last Updated: Dec 15, 2017

Vulnerability description

Cross-site scripting (XSS) usually occurs on the client end. It can be used for stealing private information and passwords, phishing, and transmission of malicious code. Technologies used for XSS attacks include HTML, JavaScript, VBScript, and ActionScript.

An attacker embeds harmful code onto the server and uses the code to forge a webpage. When a user opens the webpage, the malicious code will be injected into the user’s browser to mount attacks. The attacker can then steal the session cookies to obtain the user’s private information, including passwords and other sensitive information.

Vulnerability threat

XSS attacks are directly harmful to web servers, but they can spread from website to website to impair the users and steal their accounts or passwords. XSS attacks various types of damage as described:

  • Phishing: Most attacks use the reflexive XSS vulnerability of the target website to redirect website users to a phishing website. It then, injects phishing JavaScript to monitor the form inputs on the target website, and mounts a more advanced DHTML-based phishing attack.
  • Hanging Trojans on websites: Typical attacks embed hidden malicious websites through IFrame during cross-site access. It then, redirects victims to malicious websites, and displays pop-up windows for malicious websites.
  • Identity theft: Cookies are used to authenticate user identities when the user loads a specified website. XSS can be exploited to steal the user’s cookie and obtain the user’s permission to perform operations on the website. If a website administrator’s cookies are stolen, the website will be exposed to threats.
  • Spamming: XSS vulnerabilities are exploited to send unwanted information on behalf of the victim to target user groups in an SNS community.
  • Hijacking users’ web behaviors: An advanced type of an XSS attack can hijack users’ web behaviors to monitor the browsing history and sent/received data.
  • XSS worm: XSS worms place advertisements, generate traffic, embed Trojan virus on websites, play pranks, corrupt online data, and mount DDoS attacks.

Prevention methods

Method 1

Currently, both the Anti-DDoS Pro and Web Application Firewall services provided by Alibaba Cloud Security protect against attacks targeting web applications. Select your service to activate web application attack protection, and guarantee server security.

Method 2

Filter inputs/outputs parameters for XSS vulnerability by using the following functions.

  • htmlentities() or htmlspecialchars() in PHP
  • cgi.escape() in Python
  • Server.HTMLEncode() in ASP
  • Server.HtmlEncode() in ASP.NET or a more powerful Microsoft Anti-Cross Site Scripting Library
  • xssprotect(Open Source Library) in Java
  • node-validator in Node.js

Method 3

Use an open source vulnerability repair plugin.

Note: This requires the system administrators to have intermediate programming skills and capabilities of modifying the servers’ code.

Thank you! We've received your feedback.