Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
XSS attacks have become one of the most prevalent and dangerous security issue affecting web applications today. According to the Microsoft Security Intelligence Report Volume 13, there has been a significant increase in reported XSS cases over the past two years, to the point where XSS vulnerabilities have started to displace other types of reported vulnerabilities by percentage. An analysis of the vulnerabilities reported in the first half of 2012 revealed that 37% of all verified vulnerabilities involved XSS techniques that the Internet Explorer XSS Filter can mitigate.
XSS vulnerabilities occur whenever an application takes data that originated from a user and sends it to a web browser without first properly validating or encoding it. XSS attacks can be used to hijack user sessions, deface websites, conduct port scans on victims’ internal networks, conduct phishing attacks and/or take over users’ web browsers.
There are different types of XSS attacks. In a typical XSS attack, an attacker causes a malicious script to execute in a prospective victim’s browser when visiting a legitimate website. In a reflected attack, the attacker tricks the victim into submitting the malicious script to the vulnerable site (for example, by visiting a specially crafted URL with the script embedded in the query string). In a stored attack, the attacker uploads the malicious script to a vulnerable website in such a way that the script will be exposed to subsequent visitors and execute in their browsers. The figure to the right illustrates how a basic stored XSS attack can be used to steal cookie files from a victim’s computer.
Microsoft integrates anti-cross-site scripting measures into its products to help protect against these types of attacks. For example, recent versions of Internet Explorer have included a number of XSS mitigations, such as:
In addition to integrating XSS mitigations into Microsoft products, we also offer tools for developers. The Microsoft Anti-Cross-Site Scripting Library is an encoding library designed to help developers protect their ASP.NET web-based applications from Cross-Site Scripting attacks. It differs from most encoding libraries in that it uses the allow-listing technique, sometimes referred to as the principle of inclusions, to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The allow-listing approach provides several advantages over other encoding schemes.
It is also important that server side security features that also do validation are built into the server side application. Most modern websites have an API layer between web servers and database back ends. Using a Security Development Lifecycle process that includes things like architectural mitigations can also be very helpful in driving a more holistic approach to solving issues like XSS. Developments such as these, along with similar mitigations implemented by other browsers, can play a significant part in protecting users from XSS attacks.
The data in the Microsoft Security Intelligence Report Volume 13 suggests that XSS will likely remain a prominent threat in the immediate future. As long as it does, web browsers, along with infrastructure components like web application firewalls, will play a critically important role in defending against these types of attacks.
Tim RainsDirectorTrustworthy Computing
Read other parts of this series
Part 1: Microsoft’s Free Security Tools - Series IntroductionPart 2: Microsoft’s Free Security Tools - Attack Surface AnalyzerPart 3: Microsoft’s Free Security Tools - Enhanced Mitigation Experience ToolkitPart 4: Microsoft’s Free Security Tools – BinScope Binary AnalyzerPart 5: Microsoft’s Free Security Tools - Threat Modeling Part 6: Microsoft’s Free Security Tools – banned.hPart 7: Microsoft’s Free Security Tools – Windows Defender OfflinePart 8: Microsoft’s Free Security Tools – PortqryPart 9: Microsoft’s Free Security Tools – SummaryPart 10: Microsoft's Free Security Tools – Microsoft Baseline Security Analyzer Part 11: Microsoft’s Free Security Tools – Microsoft Safety ScannerPart 12: Microsoft's Free Security Tools - Anti-Cross-Site Scripting Library