One of the most common questions I’m getting, as I endeavor to persuade states, counties, cities, campaigns, NGOs, media, and political parties to secure their website against XSS (cross-site scripting) attacks is this:
“What is a cross-site scripting attack, and what can it do?”
This is a sincere and honest question, one that needs to be answered in a way that non-technical managers and responsible officials can understand. This article is one way to attempt to answer this question.
I’ve reviewed a number of articles about this topic and selected three, presented here in increasing order of complexity, maybe. (I don’t love the second one, the OWASP article, for this purpose, but for now it will do. If you’ve never edited an HTML document, maybe read the first and last, and skip the OWASP article.)
One of these days I probably oughtta write one of these types of articles about the problem of cross-site scripting attacks — you know, the kind of article that tries to explain what this type of attack is, and why it matters, an article that could be a solid introduction for curious citizens, County Commissioners, web administrators, IT Directors, and web programmers.
It’s not easy to do, and many have tried. Since I have some idea about how difficult this is to do well, and because I don’t really want to do it right now, I’ve scoured the web looking for some of the least-worst explanation of cross-site scripting (XSS) attacks.
Rather than a simple list, I’ve included some commentary on each, in order to provide some context and mention a few issues that are of importance to understanding why we need to secure election-related websites by correctly configuring HTTP Security Response Headers.
It’s my hope that this will be helpful enough, for decision makers seeking a better understanding.
eSecurity Planet — What Is Cross-Site Scripting (XSS)?
What Is Cross-Site Scripting (XSS)? Types, Risks & Prevention
This article isn’t the worst place to start. Even though it leaves out a couple things that probably should be included, the article is addressed at a nice level of abstraction to an audience seeking a brief introduction.
One thing it leaves out is a clear explanation that cross-site scripting attacks are a category, what we call a “class” of attacks with many different characteristics. An XSS attack can target the web browser of the user visiting the site, or it can target the web server, or both. This article does mention reflection attacks and explains them reasonably well for an introduction, but it doesn’t mention that HTTP Security Response Headers, configured on the web server, can help prevent these and other types of XSS attacks.
As an aside, the “eSecurity Planet” website appears to have been created for the purpose of ranking highly in the Google search results and running ads.
If all the content they create for the site is of similar quality, then this site would be one of those rare examples where this type of SEO-optimized information arbitrage might not always be mere noise pollution (as Google has always claimed, until they started trying to harvest all the clicks themselves via AI-generated summaries).
So, if you want a nice, accessible introduction to the subject of cross-site scripting, this article, SEO spam or not, isn’t a bad place to start!
OWASP — Types of XSS
Types of XSS (Cross-Site Scripting)
This article from OWASP® Foundation describes cross-site scripting attacks in a little more detail and categorizes some types. Note that many discussions of XSS attacks never really quite get around to the specifics — because the details can be pretty complicated!
There are so many details and variations of XSS attacks that a single book might not be enough to cover the topic. It’s possible that a five volume encyclopedia might do the job. 📚
HTTP Security Response Headers and especially a well crafted CSP (Content Security Policy) are able to protect your website, data, and visitors to your site from many XSS attacks. This OWASP article will give a glimpse into why it’s difficult to protect against these attacks in other ways.
The OWASP article assumes more knowledge about the internal architecture of web servers and web browsers than most managers will be familiar with, though, and as a consequence it’s not as accessible for a non-technical audience.
For example, the article frequently mentions DOM without even expanding the acronym anywhere on the page. You don’t need to be a programmer to get a better sense of what it is, though. For an overview, see this description of the DOM (Document Object Model) by the Mozilla foundation.
Basically though, the DOM describes the structure of the web page, DOM is an abstraction for HTML (HyperText Markup Language) which is a specialized type of programming language which allows the textual content of a document to be formatted, sometimes dynamically depending on the device used to view the document.
Wikipedia — Cross-site scripting
Cross-site scripting (Wikipedia)
Unsurprisingly perhaps, one of the better explanations of cross-site scripting (XSS) attacks on the web today is the Wikipedia article.
Few articles on the web seem to mention the role of cross-site scripting in the current era, though, where complex, multi-stage attacks are waged by what are knows as advanced persistent threats. An XSS attack might be one small part of a campaign that goes on for years, or which includes many different types of attacks, or both.
This article also has a few editorial opinions which are, at the most charitable interpretation, wildly wrong if for no other reason than being out of date. In more than one place it emphasizes that persistent XSS attacks are “more devastating” than XSS reflection attacks.
Due to the aforementioned nature of modern attacks, being often part of a complex system including several different types of attacks, it’s really not clear that this is true. If the attacker is using your website as part of a scheme to attack the web browser of a particular person, or a class of persons with a particular interest, your website, by permitting an XSS reflection attack, might be a cog in a machine that winds up with, not to put too fine a point on it, rather more dramatic results than we typically see in articles about XSS — dissidents being identified, arrested, or killed, or secrets stolen from State Department employees, or worse.
The section of the article about preventative measures is quite good, but amusingly it focuses mostly on difficult, error-prone, and costly method by which complex software systems can be modified to protect against cross-site scripting attacks. These types of suggestions are of academic interest only to most website operators, who typically aren’t involved with the creation and maintenance of the large libraries of JavaScript and other computer source code that need to be improved in such ways.
The article amusingly fails to mention HTTP Security Headers as an effective, low-cost method to protect a website against cross-site scripting attacks, even in cases where vulnerable libraries and software are used on the website.
I’ll consider making a few updates to this Wikipedia article to address these deficiencies, but I’ll need to think carefully about that. Articles like this can easily get too long, making the article ultimately less useful for its intended purpose of being an introduction or overview of a subject, not a comprehensive book unto itself.
In any case, the Wikipedia article on cross-site scripting as it stands today is already one of the better introductions to the topic on the Internet today.
If you read the three articles discussed here, you’ll have a pretty good start on understanding this topic. Just keep in mind that the subject is bigger and more complex.
I suspect this won’t be my final attempt to answer this question.
Share this post