Imagine sharing confidential information with a trusted source – perhaps a best friend or a family member – and then having them turn around and pass it onto the worst people imaginable. This, at a very high level, is a metaphor for what’s known as a cross-site scripting (also called an XSS) attack.
XSS attacks have been part of the computing landscape for decades. However, they have continued to become more frequent as both the complexity of websites has increased, our reliance on connected infrastructure has made the results of such attacks more damaging, and due to XSS attacks’ ability to circumvent traditional safeguards like standard issue firewalls and antivirus (AV) solutions.
The prevalence of such attacks are a constant reminder of why organizations must avail themselves of the latest protective measures, such as a dedicated web application firewall (WAF).
Increasingly common attacks
XSS attacks are some of the most common cyber attacks seen on the internet. They have affected websites operated by some of the biggest tech companies, showcasing that this is not only a problem that affects the proverbial “little guys” when it comes to cyber security. Broadly speaking, there are three main types of XSS attack:
In these attacks, malicious script is saved as a permanent part of a web application’s database. That could be as part of a web forum or comment field, for instance.
In these attacks, bad script is reflected to the user from the web server, with the malicious script being executed as a part of active HTTP requests.
In these attacks, the vulnerability is part of the client-side code, rather than server-side code. These attacks take place when an application features client-side code that processes data which comes from an untrusted source in a way that is considered unsafe.
The WooCommerce Bug
Due to their frequency, there is unfortunately no shortage of examples of XSS in action. In some cases, the vulnerabilities that allow XSS attacks to occur are never used in actual attacks – but the fact that the vulnerabilities exist nonetheless opens up this possibility. One recent example of a vulnerability which could have affected large numbers of users was the WooCommerce Bug, an XSS vulnerability which affects the Variation Swatches for WooCommerce plugin installed on approximately 80,000 WordPress-powered e-retail websites.
Protecting against attacks
Protecting against XSS attacks should be an essential step on the part of any organization. One of the most straightforward ways that businesses can protect themselves is to ensure that they keep properly up-to-date when it comes to the code that runs their organization’s website. This means making sure that plugins and similar are updated, and that regular security assessments are utilized.
This is not always feasible, though. The best, most scalable approach that businesses or other organizations can take when it comes to protecting against XSS attacks is through the use of a web application firewall (WAF). Such web application firewalls use signature-based filtering as a means by which to recognize – and then block – malicious requests and as a way to counter XSS attacks. By inspecting web traffic, they can therefore help to prevent attacks exploiting known vulnerabilities in a web application – whether that’s cross-site scripting, file inclusion, SQL injections, or more.