Whalebone blog

What is cross-site scripting (XSS) and how to stop it using protective DNS

Written by Whalebone | 16.8.2024 8:49:54

Cross-site scripting (XSS) continues to be a prevalent and dangerous vulnerability in web applications, posing significant risks to enterprises. Basically it means that a hacker uses user input to inject malicious code into legitimate websites. 

 

For this, the malicious actors can use response forms, forums, URL parameters or other input fields. Despite advancements in web security, XSS remains a critical threat that can lead to data breaches, session hijacking, and severe reputational damage, since it uses otherwise legitimate websites as a vessel for their attack.

Moreover, cross-site scripting (XSS) can avoid firewalls and other traditional security measures, since it exploits vulnerabilities within the web application itself rather than relying on network-based attacks that firewalls are designed to block. “It is easy to steal cookies or personal information using cross-site scripting. At the same time, It is easy to block such attacks on the DNS level,” says Whalebone’s Product Manager Michal Havelka.

 

Recent Examples of XSS Vulnerabilities

WordPress Custom Fields Plugin: In May 2023, a critical XSS vulnerability was discovered in a popular WordPress plugin used to create custom fields. This flaw allowed attackers to perform reflected XSS attacks, injecting malicious scripts into the web pages using the plugin and pushing harmful code to website visitors. This vulnerability impacted over 2 million websites, demonstrating the extensive reach and potential damage of such exploits.

Wordpress plugins are hard to control but easy to be misused for cross-site scripting. Stopping the request at the very beginning by using DNS protection is an effective way how to stop cross-site scripting at any website,” Michal Havelka elaborates.

Open Source Web Applications: Multiple XSS vulnerabilities were found in widely used open-source applications such as Evolution CMS, FUDForum, and GitBucket. These vulnerabilities could lead to complete system compromise by enabling attackers to execute JavaScript commands in victims’ browsers, leading them to fake websites, stealing cookies, etc. The flaws included both reflected and stored XSS, illustrating the broad scope of potential exploitation​.

 

Deeper dive into what is XSS and what are its types

Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can then be executed in the context of the user's browser, potentially leading to a variety of harmful outcomes.

Types of XSS:
  • Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database or forum post). When other users request the stored information, the script is delivered to their browser and executed.
  • Reflected XSS: The script is reflected off a web server, typically via a search result or error message. The user is tricked into clicking a link or submitting a form that sends the malicious script to the server, which reflects it back to the user's browser.
  • DOM-based XSS (type-0 XSS): The vulnerability is within the client-side code rather than the server. The malicious script manipulates the Document Object Model (DOM) of the web page to execute without requiring a server response.

 

How Protective DNS Helps Combat XSS

Protective DNS (PDNS) services, such as Whalebone Immunity, play a crucial role in mitigating XSS attacks. “Any website can download and inject javascript code from a malicious domain. Whalebone detects such domains and block the threat by simply not resolving them,” Whalebone’s Product Manager Michal Havelka continues. 

Here’s how PDNS mitigates the XSS attacks:

  • Blocking Malicious Domains: PDNS services maintain threat intelligence databases of known malicious domains. When a user attempts to access a URL or script hosted on a malicious domain, the PDNS service intercepts the DNS query and blocks the resolution, preventing the malicious content from being executed in the user's browser​.

  • Preventing Phishing and Command and Control Communication: Many XSS attacks involve phishing attempts to lure users into visiting compromised sites. PDNS can prevent access to these sites by blocking domains known for hosting phishing content.

  • Neutralizing the threat on the end-user side: If the attack results in deploying a payload to the targeted device, PDNS severs the connection between the payload and the attacker or C2 server, rendering it unable to spread in the network, steal or lock data, or cause other damage.

  • Real-time Threat Intelligence: PDNS leverages real-time threat intelligence feeds to continuously update its databases with the latest information on malicious domains and IP addresses. This ensures that protective measures are up-to-date and can block newly identified threats associated with XSS attacks​​.

  • Enhancing Threat Detection and Response: PDNS provides detailed logs and insights into DNS queries, helping security teams detect suspicious activities related to XSS attacks. By analyzing DNS query patterns, security analysts can identify attempts to exploit XSS vulnerabilities and take proactive measures to mitigate the threat​​.

 

Why Whalebone Immunity Stands Out as a solution to XSS

Whalebone Immunity provides protection against not only XSS, but a wide range of threats which elude the standard security measures. Apart from the standard security, it brings further advantages:

  • Comprehensive and local threat intelligence: Whalebone Immunity integrates unique threat intelligence sources from its telco and ISP customers and cooperation with governmental cybersecurity bodies, ensuring more comprehensive coverage of malicious domains and IPs.

  • User-centric security: Immunity requires no installation on the end devices, close to no maintenance, and has no negative impact on network speed and stability. Moreover, it can be set-up network-wide in under 2 hours. 

  • Layered security: With features like Identity protection, IoT security, home office protection, homographic attack alerting, identifying DNS tunnels and more, Whalebone Immunity takes care of multiple attack vectors which the traditional security measures leave uncovered.

 

TL;DR Summary

Cross-site scripting is a significant threat to web application security, capable of causing extensive damage through using user input (such as form responses) to inject malicious code to legitimate sites, which are then used to conduct an attack on their users. 

Integrating protective DNS into your security strategy is an effective way to mitigate these risks. By blocking malicious domains, preventing phishing through leveraging real-time threat intelligence, and enhancing threat detection and neutralization in case it reaches devices in your network, Whalebone Immunity provides a robust defense against XSS attacks.

Make sure that you have covered this important vector to make your network as secure as possible. Find out more about Whalebone Immunity here or contact us to see Immunity in action.