XSS Attacks: The Bane of The Browser

One of the most frequent vulnerabilities on the internet is the XSS attack. We want to help you understand what an XSS attack is, how hackers use it, and what you can do to prevent it and make sure you and your personal information stay safe.

Buying Rotten Apples

To understand what an XSS attack, let's take a look at a super simple analogy. Buying apples at the grocery store.

You go to the grocery store to buy apples. All the apples are sitting out in the open looking nice and edible. But, because they are sitting out in the open and no one is watching, a bad guy comes in and replaces some of the apples with wormy and rotten apples that look ripe but make you sick. You trust the apples, these are grocery store approved apples, so you buy one and take it home. When you bit into it, it's rotten, full of worms and makes you ill. Once you are sick and passed out, the bad guy comes into your home and takes anything he wants from you, or maybe he just decides to destroy things in your house for fun.

Now imagine Paladin is a grocery store clerk and he watches over all the apples, and every time you pick up one that looks good, he inspects it for worms and throws it out when he finds it.

That is the simplest analogy for a XSS attack. But in the real world the grocery store is a website, the apples are the HTML and JavaScript on the site, the bad guy is a hacker and the rotten apples are malicious code that helps the hacker get access to your device and your data.

In an XSS attack, a hacker comes in through a vulnerability on a website or through the URL, and replaces some of the on-site content with malicious code or viruses. The worst part is, you can’t even tell because it’s actually on the website you meant to go to, not a phishing/fake site.

What’s the worst an XSS attack can do?

The consequences of what a hacker can do with the ability to add malicious code or viruses to a web page probably aren't clear right away.

However, when considering that web scripts have access to the following, it’s easier to understand how creative attackers can get with malicious code.

  • If an attacker gets your session cookie, he can impersonate you online.
  • Malicious code can read and make arbitrary modifications to the browser’s configuration (within the page that script is running).
  • Malicious code can send HTTP requests with arbitrary content to arbitrary destinations.
  • A hacker can get access to your geolocation, webcam, microphone and even the specific files from the your file system.

On top of these things, XSS vulnerabilities allow hackers to lay the groundwork for more serious attacks that can leave you without much recovery. As with most hacks it's not about what hackers can immediately do, but what it can allow them to do in the future.

How do I protect myself from an XSS attack?

Outside of using a browser protection feature similar to Paladin, there really is no easy way to protect yourself from XSS attacks. The feature that allows for XSS attacks to occur can actually be used for legitimate purposes, so on the whole they choose not to block it. But the instances of legtimate use is few and far between compared to the number of attacks it's used for it, so your best bet is to block sites that have XSS vulnerabilities.

Here is a list of tools that you can use:

  1. Paladin Cyber Browser Protection: Chrome Store
  2. FooSpidy/XSSwa Unpacked Chrome Extensiont: GitHub
  3. NoScript for Firefox: noscript.net

An XSS Attack can come from anywhere at any time. By the using a browser protection tool, and following other cyber security best practices you can mitigate your risk of being attacked. As with any type of cyber protection measure, the first step is always awareness.