Defending Against Cross-Site Scripting (XSS) Attacks

February 14, 2020 - Ensighten

Cross-site scripting (XSS) attacks accounted for almost 40 percent of all cyberattacks in 2019. How can you protect your business?

When we hear about cyberattacks, we often think of hacks on IT systems or networks – technology traditionally found within the confines of the organization. But the truth is that in 2019, more than 72 percent of cyberhackers targeted customer-facing websites.

One of the most common methods of attack is cross-site scripting (XSS) where malicious scripts are injected into trusted websites. This type of attack is now so widespread that almost 40 percent of ALL cyberattacks in 2019 – not just on websites – were performed by using XSS.

But just because cross-site scripting (XSS) attacks are so prevalent, it does not mean they can’t be devastating for your business.

 

What is a Cross-Site Scripting attack?

Described as one of the most feared web application attacks by the International Council of E-Commerce Consultants (EC-Council), XSS is based on client-side code injection. The attacker inserts malicious scripts into a legitimate application, which then piggybacks onto the altered script within the user’s web browser. These attacks are common in web applications written in JavaScript, CSS, VBScript, ActiveX and Flash.

This opens the door for hackers to gain access to the web user’s cookies, for example, enabling them to impersonate the targeted individual to retrieve their sensitive data. The EC-Council notes that the integration of web application vulnerabilities and social engineering methodologies mean “attackers can execute advanced cyberattacks, such as cookie theft, planting trojans, keylogging, phishing and identity theft.”

DOM-based XSS attacks are the toughest to detect as the vulnerability is in the client-side code rather than the server-side code – therefore, the server never gets a chance to see the attack taking place. 

 

Why are XSS attacks dangerous to your business?

A 2019 report by Positive Technologies shows that three quarters of websites are vulnerable to XSS attacks. In addition, half of web applications have access control issues and one third are susceptible to code injection.

One example is when infamous website hackers Magecart used a form of XSS attack to breach computer hardware and electronics ecommerce retailer Newegg’s website. A type of formjacking, Magecart injected its malicious JavaScript onto a page hosted on ‘secure.newegg.com’ that was presented during the checkout process. The code appeared when moving to the billing page while checking out where customer payment data was scraped and sent back to the domain “neweggstats.com” via an HTTPS connection.

The potential damage from such an attack can be irreparable. A recent report shows that consumers are (quite rightly) more concerned about protecting their personal information than they were a year ago. More than eight out of 10 say they would stop engaging with a brand online following a data breach.

 

What can you do to defend your business from XSS attacks?

XSS attacks are not new – they have taken up permanent residence on the Open Web Application Security Project (OWASP)’s annual Top 10 Web Application Security Risks list. But that doesn’t mean you can’t limit your chances of an XSS attack.

The problem, however, is exacerbated by the lack of visibility into what code is running on your website, particularly on the client side. As we’ve seen with the Magecart attacks, hackers are circumventing PCI compliance that prevents customers from storing their three-digit credit card security code on a website’s servers, by focusing their attacks on the client side of the website to capture those details as they are entered.

Therefore, it is important that you are aware of all code running on your website, including making sure that any third-party connections or plugins are up to date. You should perform security assessments of web applications regularly and fix any vulnerabilities you find.

You should also implement client-side protection, such as Ensighten’s MarSec™ platform, which provides:

  • Allow and block: Define permissions for approved third-party vendors you choose to allow to access data or block from receiving specific types of data
  • Auditing of new scripts: Real-time view of all the technologies running on your website and full privacy risk assessment as web pages are loaded
  • Blocking injection-based attacks: Blocking of formjacking and payment card skimming by enabling control over the third-party JavaScript which is given permission to operate within the user’s browser
  • Reporting: Comprehensive reporting of site traffic and real-time user activity to identify any suspicious patterns or network requests

 

Speak with Ensighten about MarSec™, and how you can ensure cross-site scripting defense to protect your customers’ data from cybercrime groups and leakage.