Cross-site scripting: An attack via one’s own browser

Sooner or later, the majority of websites will be hacked (if they were not hacked already).

How could this happen?

Via Cross-Site Scripting (XSS), to give an example.

The term covers a variety of attack methods across web applications, and the focus here is website security ─ meaning that every company or individual who operates a website is affected.

XSS means that malicious code on a website is utilized through a user’s web browser.

This malicious code is typically programmed in Javascript or another script language that can be implemented (interpreted) via a browser. These script languages include Active X, Flash, and dynamic HTML.

A typical example would be a discussion forum, blog, or online shop with an evaluation function. The hacker writes malicious code in a comment field, which is then implemented via browsers of other users, as soon as they click on the hacker’s comment. Other possibilities are search fields or forms in which hackers can “inject” a program code in the place of normal input.

As users, we look at websites that we trust and we may also enter our data there (such as passwords, credit card numbers or information on cookies). If these websites were altered, however, without the operator consenting or even perceiving these changes, our data wanders off, or the site automatically redirects us to other content.

XSS was first used approximately 20 years ago (probably by Microsoft developer).

In the meantime, a variety of security measures now exist that successfully prevent XSS in most cases. These include:

  • Validation and filtration methods for potential user input (to be taken into consideration in website programming, with a white-list approach being ideal)
  • Modern browsers that no longer interpret script code automatically, but usually display it with special characters (“encoding”)
  • Warnings against execution or restricted execution of script code in the browser (security headers, content security policies).

Despite these measures, XSS is still among the most common attacks.

Even today, cross-site scripting is one of the top ten greatest risks in web applications (OWASP Top Ten Web Application Security Risks | OWASP).

And indeed, every day we encounter companies on the Internet that still haven’t switched to https, meaning they lack even the basics for secure communication over the web.

Word Press plug-ins are also often used. According to estimates, Word Press is used by about 40 percent of all websites (WordPress Marktanteile Statistiken (2011- 2021) ─  Kinsta) ─  and most WordPress sites do not use plug-ins or, if they do, they use only secure plug-ins.

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.