Cross-Site Scripting (XSS) Attack Explained in Detail

Cross-Site Scripting (XSS) Attack Explained in Detail

Description
Cross-Site Scripting (XSS) is a common security vulnerability in web applications, where attackers inject malicious scripts into trusted web pages. When a user visits the page, the script executes in the browser, allowing the theft of cookies, session tokens, or other malicious actions. The core of XSS lies in the web application's failure to adequately filter or escape user input, leading to malicious content being parsed as code by the browser. Based on the attack method, XSS is mainly divided into three categories: Reflected, Stored, and DOM-based.

Process

Understand the Basic Principles of XSS Attacks
- Normal web interaction: User input data → Server processing → Returns response (data displayed only as content).
- XSS attack flow: Attacker constructs malicious input (e.g., <script>alert('XSS')</script>) → Server returns it unfiltered → Browser parses input as executable script → Script runs in victim's browser.
- Example harms: Stealing user cookies, redirecting to phishing pages, keylogging, etc.
Distinguish the Characteristics of the Three Types of XSS Attacks
- Reflected XSS:
  - The malicious script is sent to the server as a request parameter and immediately embedded by the server into the returned page (e.g., search results display). Attacks often lure users via phishing links.
  - Example: User visits http://site.com/search?q=<script>stealCookie()</script>, the script triggers when the page directly displays the input content.
- Stored XSS:
  - The malicious script is permanently stored on the server (e.g., comment sections, databases), triggering for any user visiting the page containing that content. The harm is more persistent.
  - Example: Attacker posts a forum thread containing a malicious script; the script auto-executes when other users view the post.
- DOM-based XSS:
  - The attack does not involve the server; it is introduced when front-end JavaScript directly manipulates the DOM (e.g., document.write(location.hash)).
  - Example: User visits http://site.com#<img src=x onerror=alert(1)>, page JS writes the hash value into the DOM, triggering the attack.
Key Measures to Defend Against XSS
- Input Validation and Filtering:
  - Strictly validate user input (e.g., length, character type), rejecting illegal content (e.g., <script> tags).
  - Use allowlist mechanisms, permitting only safe HTML tags (e.g., rich-text editors need configured filtering rules).
- Output Escaping:
  - Escape special characters (e.g., <, >, &, ") before embedding data into HTML (e.g., < becomes <).
  - Different contexts require different escaping rules:
    - HTML content: Use functions like htmlspecialchars().
    - HTML attributes: Escape quotes and brackets.
    - JavaScript code: Avoid direct data embedding; use JSON.stringify instead.
- Content Security Policy (CSP):
  - Restrict script sources via the HTTP header Content-Security-Policy, e.g., allowing only same-origin scripts:
```
Content-Security-Policy: default-src 'self'
```
  - Effectively blocks inline scripts and loading of external malicious resources.
- Other Auxiliary Measures:
  - Set the HttpOnly attribute for cookies to prevent theft via document.cookie.
  - Use sandbox mechanisms for rich-text content (e.g., iframe sandbox).

Practical Example: Fixing a Simple XSS Vulnerability

Vulnerable code (PHP example):

echo "<div>Welcome, " . $_GET['username'] . "!</div>"; // Directly outputs unescaped user input

Fix:

echo "<div>Welcome, " . htmlspecialchars($_GET['username'], ENT_QUOTES, 'UTF-8') . "!</div>";
// After escaping, `<script>` will be displayed as text, not executed

Summary
The core of XSS defense lies in "distrusting user input," requiring a multi-layered approach combining input filtering, output escaping, and CSP. In development, use secure frameworks (e.g., React auto-escapes) and conduct regular security testing (e.g., penetration testing tools like ZAP) to reduce risks.