An attacker embeds harmful code onto the server and uses the code to forge a webpage. When a user opens the webpage, the malicious code will be injected into the user’s browser to mount attacks. The attacker can then steal the session cookies to obtain the user’s private information, including passwords and other sensitive information.
XSS attacks are directly harmful to web servers, but they can spread from website to website to impair the users and steal their accounts or passwords. XSS attacks various types of damage as described:
- Hanging Trojans on websites: Typical attacks embed hidden malicious websites through IFrame during cross-site access. It then, redirects victims to malicious websites, and displays pop-up windows for malicious websites.
- Identity theft: Cookies are used to authenticate user identities when the user loads a specified website. XSS can be exploited to steal the user’s cookie and obtain the user’s permission to perform operations on the website. If a website administrator’s cookies are stolen, the website will be exposed to threats.
- Spamming: XSS vulnerabilities are exploited to send unwanted information on behalf of the victim to target user groups in an SNS community.
- Hijacking users’ web behaviors: An advanced type of an XSS attack can hijack users’ web behaviors to monitor the browsing history and sent/received data.
- XSS worm: XSS worms place advertisements, generate traffic, embed Trojan virus on websites, play pranks, corrupt online data, and mount DDoS attacks.
Currently, both the Anti-DDoS Pro and Web Application Firewall services provided by Alibaba Cloud Security protect against attacks targeting web applications. Select your service to activate web application attack protection, and guarantee server security.
Filter inputs/outputs parameters for XSS vulnerability by using the following functions.
- htmlentities() or htmlspecialchars() in PHP
- cgi.escape() in Python
- Server.HTMLEncode() in ASP
- Server.HtmlEncode() in ASP.NET or a more powerful Microsoft Anti-Cross Site Scripting Library
- xssprotect(Open Source Library) in Java
- node-validator in Node.js
Use an open source vulnerability repair plugin.
Note: This requires the system administrators to have intermediate programming skills and capabilities of modifying the servers’ code.