Why can JavaScript become a Cyberattack weapon?
An Introduction to XSS Attacks
The motivational factors behind a cyberattack can be many, and the goal the hacker seeks to achieve in order to succeed may vary depending on the circumstances.
For example, an attacker might attempt to gain unauthorized access to a system to make financial profit and steal sensitive information such as financial data or trade secrets.
In other cases, the goal could be to damage a competitor’s reputation or to target the users of a specific website.
An XSS attack specifically affects the visitors of a website, since it is a technique that allows a malicious actor to insert harmful JavaScript code into a web page. This code is then executed directly on the victim’s computer when they view the page.
The consequences can be severe, because such a vulnerability could allow the hacker to steal sensitive and confidential data, perform unauthorized actions on behalf of the victim, or even download malware onto their computer.
There are three main categories of XSS attacks, which describe the different ways in which the hacker can execute code on the victim’s computer:
Reflected
A reflected XSS attack occurs when the command the hacker wants the victim’s browser to execute is inserted into the webpage through the URL used to access the site. For example:
http://www.example.com/blog/index.php?page=<script>alert("vulnerabile")</script>Here, the “page” parameter of the domain “example.com” is affected by a cross-site scripting vulnerability. Depending on the JavaScript code used, the attacker could, for instance, make a pop-up window appear with the message “vulnerable” as soon as the victim visits the site.
In this educational example, we’ve shown a harmless pop-up, but in a real scenario, the payload (i.e., the code to be executed) chosen by the attacker would likely be much more dangerous.
To complete the attack, the hacker only needs to trick the victim into clicking on the malicious link, for example by sending it via email.
Stored
A stored XSS attack occurs when the attacker manages to insert their malicious payload into data that is saved by the website and later displayed in its pages.
For example, imagine a comments section: the attacker could store malicious JavaScript code inside a comment, and that code would then be executed by every user who reads it.
DOM-based
A DOM-based XSS attack exploits the manipulation of the Document Object Model (DOM), which allows the dynamic modification of the HTML content of a webpage. This is a legitimate feature often used to improve user experience — for example, to display personalized welcome messages.
Suppose we have a web portal that shows a custom message to the user based on the parameters present in the site’s URL.
In this case, the parameter to be displayed is taken from the part of the URL after the # (hash). If the URL were:
http://www.example.com/#User1then the message displayed would be:
“Welcome, User1”
But what would happen if a malicious user replaced their name with JavaScript code such as:
http://www.example.com/#<script>alert("vulnerable")</script>and the site were vulnerable, the malicious script would be executed automatically on their computer!
So, Why can JavaScript become a Cyberattack weapon?
Because an XSS attack allows a hacker to run arbitrary code inside the victim’s browser when they visit a vulnerable site. This gives the attacker the ability to steal sensitive data or perform actions on the victim’s behalf, such as accessing password-protected areas without knowing the password, or even capturing the keystrokes typed on the keyboard.
Did you find this topic interesting and want to dive deeper or explore new ones? Don’t miss the next issue: subscribe now on Substack.