Sandeep Singh
2024-01-15 12:50:51
www.hackerone.com
According to HackerOne’s 7th Annual Hacker Powered Security Report, XSS is the number one most common vulnerability for bug bounty and number two for pentesting. Combining the three most common types of XSS, it makes up 18% of all vulnerability types discovered on the HackerOne platform.
Despite its ubiquity as a low-hanging fruit, XSS can have significant impacts on an organization, including the release of confidential user information, the supplying of misinformation to misdirect user behavior, and negative reputational damage.
Let’s look more closely at XSS — what it is, how it’s used, and how to remediate it.
What Is Cross-Site Scripting (XSS)?
Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious client-side scripts into web pages viewed by other users. An attacker can bypass access controls and impersonate users. An XSS vulnerability allows an attacker to steal session cookies, log keystrokes, extract confidential data displayed on the vulnerable site, and perform other malicious actions on end-user systems.
There are three main types: reflected, stored, and DOM-based XSS. The key differences between these three types of XSS are:
- Reflected XSS happens when unsanitized user-supplied input is relayed back from the server but doesn’t get stored on the server
- Stored XSS occurs when user-provided data is stored on server-side without sanitization and retrieved unsafely
- DOM-based XSS occurs when malicious user input gets processed solely on the browser before returning back to the user, without reaching the server
Common root causes for XSS attacks include:
- Unvalidated user input that is displayed back to users
- Improper encoding of output
- Outdated browsers and plugins that fail to filter malicious scripts
Preventative controls can vary based on the exact use case, but here are some good places to start:
- Input validation and output encoding
- XSS protection software frameworks and libraries
- Content Security Policy headers
- Patching vulnerable web applications
- User education against phishing.
What Industries Are Impacted By Cross-site Scripting?
XSS does not discriminate by industry. However, it is more prominent in some industries than others. The chart below illustrates the top vulnerabilities across the HackerOne platform by industry. Reflected XSS only makes up 4% of vulnerabilities identified in the Cryptocurrency and Blockchain space, yet it makes up a massive 19% in the Automotive industry. Crypto and blockchain organizations are newer, meaning they don’t use susceptible legacy software, and are technical at their core. Automotive organizations, on the other hand, aren’t primarily tech-focused, so they see more low-hanging fruit vulnerabilities that have yet to be identified and remediated by their internal security teams.
Take a look at how much of your vulnerabilities are XSS in comparison to the average for your industry.
A Real-world Example of a Cross-site Scripting Vulnerability
HackerOne’s Hacktivity resource showcases disclosed vulnerabilities on the HackerOne Platform. Check it out to see how specific weaknesses have been identified and fixed. The following cross-site scripting example demonstrates how a hacker discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover.
Customer: Yelp
Vulnerability: Reflected XSS
Severity: High
Summary
A member of HackerOne’s community discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover. Reflected XSS was possible by manipulating an unescaped cookie value. This could be combined with a cookie parsing issue to set a persistent cross-site scripting payload.
Impact
The hacker, @lil_endian, demonstrated the possibility of complete compromise of business accounts and account takeovers of normal accounts on yelp.com. They simulated stealing login credentials on the biz.yelp.com login page using a keylogger and linking an external account to take over a victim’s profile. The vulnerabilities impacted account security and could enable unauthorized access to user data, putting Yelp and its user’s data at a high risk of exploitation.
Remediation
To remediate, the code should validate and sanitize any user input before using it. Along with the Yelp team resolving the code, the hacker also recommended removing the ability to set the cookie via a query parameter also mitigates this attack vector.
Reward
The hacker received a $6,000 bounty and gratitude from the Yelp team for helping them avoid an incident.
“Thanks for helping keep our users safe! We hope you keep banging away on the Yelps, we’d love to see what else you find.”
Secure Your Organization From Cross-site Scripting With HackerOne
This is only one example of the pervasiveness and impact severity of an XSS vulnerability. HackerOne and our community of ethical hackers are the best equipped to help organizations identify and remediate XSS and other vulnerabilities, whether through bug bounty, Pentest as a Service (PTaaS), Code Security Audit, or other solutions by considering the attacker’s mindset on discovering a vulnerability.
Download the 7th Annual Hacker Powered Security Report to learn more about the impact of the top 10 HackerOne vulnerabilities, or contact HackerOne to get started taking on XSS at your organization.
Support Techcratic
If you find value in our blend of original insights (Techcratic articles and Techs Got To Eat), up-to-date daily curated articles, and the extensive technical work required to keep everything running smoothly, consider supporting Techcratic with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to future updates and improvements. I am committed to continually enhancing the site and staying at the forefront of trends to provide the best possible experience. Your generosity and commitment are deeply appreciated. Thank you!
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending any funds to ensure your donation is directed correctly.
Bitcoin QR Code
Your contribution is vital in supporting my efforts to deliver valuable content and manage the technical aspects of the site. To donate, simply scan the QR code below. Your generosity allows me to keep providing insightful articles and maintaining the server infrastructure that supports them.
Privacy and Security Disclaimer
- No Personal Information Collected: We do not collect any personal information or transaction details when you make a donation via Bitcoin. The Bitcoin address provided is used solely for receiving donations.
- Data Privacy: We do not store or process any personal data related to your Bitcoin transactions. All transactions are processed directly through the Bitcoin network, ensuring your privacy.
- Security Measures: We utilize industry-standard security practices to protect our Bitcoin address and ensure that your donations are received securely. However, we encourage you to exercise caution and verify the address before sending funds.
- Contact Us: If you have any concerns or questions about our donation process, please contact us via the Techcratic Contact form. We are here to assist you.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.