Why Everyone Needs to be Aware of Cross-Site Scripting Attacks

What is a Cross-Site Scripting attack?

A cross-site scripting attack (also known as XSS) abashes many of the most sophisticated security defences we have to date. A general internet user can be caught out by its striking inconspicuousness: by simply clicking on an email link, or any link on a website for that matter your data could be in serious jeopardy.

Will this really affect me?

According to Guy Podjarny, CEO of the open source security firm Snyk.io, occurrences of XSS attacks grew by nearly 40% in Q1 of 2017 and shockingly “XSS prevalence is consistently high—since 2012 around 50% of all website vulnerabilities are XSS”.

This means that XSS is a big deal for every type of user and therefore understanding how it works and the measures that one can take to avoid it is crucial.

How does XSS work?

Simply put, XSS uses your browser to infiltrate your data, through exploiting websites that have not properly ensured that such data is not malicious (formally known as input sanitisation). A concrete example of this can be seen in the following URL:

http://example-site.co.uk/?parameter=userInput

Focusing on the segment of the URL ‘userInput’, this is where an attacker can place a malicious script such as: http://example-site.co.uk/?parameter=stealThisUsersDetails

Once a user clicks on such a URL, the user’s browser (which contains sensitive data about the user) can then be forwarded onto the attacker’s computer, leading to the theft of passwords and other such sensitive data.

How can I avoid this!

One simple way to avoid this, is to thoroughly check the URL’s that you click on when either browsing the web or in emails. Given a URL such as: http://googl-3.com, a user should be cautious as it very likely than an attacker is trying to trick a user into believing they are navigating to Google.

In relation to emails, the same principle can be used within the context of an email address. Furthermore, email addresses such as account123435@applezi.com are very likely not to be from your official account with Apple!

Does this mean I am safe now?

No, but it means that you are less susceptible to being a victim of an XSS attack. Being aware of the simple principles discussed earlier are a fantastic first step in both raising awareness of this attack and subsequently dispelling the misconception that a firewall and antivirus can prevent such attacks (they help but cannot guarantee safety).

I would like to learn more about this

Despite the simple yet effective measures one can take to reduce the likelihood of a XSS attack, it is still quite a technical subject. With this in mind, the technically inclined can access a whole host of resources relating to the subject on OWASP (Open Web Application Security Project) which breaks down the subject into further detail [2].

Meanwhile: be careful of what you click!

See also: Tech Giants: We Won’t Help Gov’t Cyber Attacks