Cross Site Scripting Vulnerabilities: Hazards of XSS Vulnerabilities

Session Hijacking

XSS allows an attacker to take over a user’s session, most often through the use of session cookies. XSS isn’t the only means for a hacker to hijack a browsing session, but it is one of the most common. Session hijacking steals the intended user’s session cookie to impersonate the actual user, make financial transactions, post to online social media profiles and more.

XSS isn’t difficult for hackers to implement. All it takes is tricking a user into clicking a malicious link that activates the JavaScript code, this allows the session cookie to be accessed by the hijacker. It can also be accomplished through social messages and online forms.

Manipulated Login Credentials and Unauthorized Transactions

Cross-site request forgery (CSRF) is a slightly different tactic often used in conjunction with XSS. With cross-site request forgery, also known as a one-click attack, users are tricked into authorizing unwanted actions by clicking on a malicious link or loading a page that contains malicious script. Usually, these impacts are found on the server—although CSRF can also allow attackers to logout, make purchases, change login credentials and change or retrieve sensitive account information.

If an attempt to trick the end user is successful, that single click can have devastating consequences. For example, if CSRF is used to exploit a vulnerability on a financial website the user is tricked into clicking the link or loading the page can unknowingly initiate the transfer of large amounts of money into the attacker’s account.

Spreading Worms and Viruses

Cross-site scripting isn’t always used for the purpose of stealing your identity or making financial transactions. It’s also a common method used to spread worms and viruses across the web, particularly among social networks.

In this case the code can simply be embedded in a message, status update or form field. When any user accesses the page containing

The malicious code—the script is activated, and the worm has successfully spread.

Defacing Websites and Posting Harmful Content

XSS can also have devastating public relations consequences for businesses. When an attacker uses XSS to exploit users’ actions, they can essentially take over the browsing session and manipulate the website. That means they could totally deface your website, or even post malicious content that could create a reputation management problem for your enterprise.

There often isn’t a specific motive behind these activities. Just because your company has never wronged a customer or vendor relationship, doesn’t mean that a random hacker wouldn’t use XSS vulnerabilities to create a reputation stir for your company. The true impact of such a breach extends beyond the financial ramifications, including public knowledge that your application has not been adequately protected.

Veracode.com points out that many popular websites contain XSS vulnerabilities. It’s the widespread availability of flaws that make the web a virtual playground for hackers; XSS took advantage of vulnerabilities in already-trusted sites, it’s easy to lure unknowing users into clicking malicious links or activating scripts that create devastating consequences.