Cross-site scripting (XSS)

Cross-site scripting, or XSS, is the use of a website security flaw that allows a hacker to inject JavaScript or HTML code that a victim will execute without their knowledge.

XSS vulnerabilities open up great possibilities for hackers: installation of software, recovery of session cookies, etc.

Find out what cross-site-scripting is and how to guard against these XSS attacks.

Definition of XSS

Cross-site scripting, commonly referred to as XSS, is a cyber attack that uses website security holes. XSS is an insidious injection of script on a secure website.

The injection of this code triggers actions on the browser, and therefore on the user, who visits the infected page.

The use of XSS flaw can allow a hacker to steal a user's session by retrieving their session cookies. Another way to use XSS is to direct the user to another site so that they fall victim to phishing. The unlucky internet users who trigger this malicious script therefore become vulnerable.

The most common exploitation of XSS by hackers is injecting JavaScript code directly into the HTML page. However, many XSS exploits can be performed, as the attacker can use the different languages ​​supported by the browser.

It is possible to modify the content of an HTML page or to control the victim's browser using XSS.

When exploited, these flaws can be very significant with far-reaching consequences. A cybercriminal can do endless things once they gain access to their victim's web browser.

Using XSS, hackers can distribute their malware to a large number of people.

Why is this called cross-script scripting?

The name of cross-script scripting for these attacks comes from the fact that the principle is to inject malicious code from a fraudulent website into a harmless website. This is a "crossing" of script from one site to another.

The different types of cross-site scripting attacks

The different types of cross-site scripting attacks

The principle of an XSS attack is to use malicious content, which is content that the user does not expect when on a website that they think is secure.

An XSS attack can range from simply discrediting a website by modifying it, to stealing a user's sensitive data by taking control of their operating system.

There are three types of XSS whose principle is identical but with a different operation.

Stored XSS attacks

During a stored or persistent XSS attack, the hacker injects malicious scripts directly into the web server where they will be stored. The scripts are thus provided to the users each time the page in question is loaded, the insidious content is returned to the browser on each visit to the website.

Reflected XSS attacks

In the case of reflected XSS, malicious scripts only exist temporarily and are not stored on the server. These codes are sent to a web server through a manipulated URL or a prepared form.

During a reflected XSS, the server returns the script to the user without it being verified.

DOM-based XSS attacks

DOM-based XSS attacks are also called local XSS (or "DOM based xss").

Unlike stored and reflected XSS attacks, in DOM-based XSS, the web server is not used. The attack takes place directly in the victim's internet browser. In this situation, the cracked code is usually executed while loading a URL that has been manipulated.

How to protect yourself from an XSS attack?

Defending against XSS attacks is quite complex since they target websites and not your computer.

Guarding against XSS attacks is not impossible, especially on the assumption that not everything coming from the Internet is secure. Getting into the habit of monitoring URLs limits the risk of XSS - if you see anything abnormal, think twice before taking action on the site in question.

The use of secure browsers and regularly updated software can also limit these risks.