{"id":8769,"date":"2021-04-23T10:20:00","date_gmt":"2021-04-23T08:20:00","guid":{"rendered":"https:\/\/usd.formwandler.rocks\/news-top-schwachstellen-2020-cross-site-scripting\/"},"modified":"2021-07-09T08:40:45","modified_gmt":"2021-07-09T06:40:45","slug":"news-top-vulnerabilities-2020-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/www.usd.de\/en\/news-top-vulnerabilities-2020-cross-site-scripting\/","title":{"rendered":"usd HeroLab Top 5 Vulnerabilities 2020: Cross-Site Scripting (XSS)"},"content":{"rendered":"\n\n[et_pb_section fb_built=\"1\" admin_label=\"section\" _builder_version=\"4.9.4\" custom_padding=\"0px|0px|0px|0px|false|true\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"100%\" custom_margin=\"|0px||0px|false|true\" custom_padding=\"||0px|||\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text admin_label=\"Text\" _builder_version=\"4.9.4\" background_size=\"initial\" background_position=\"top_left\" background_repeat=\"repeat\" custom_margin=\"1px|0px|21px|0px|false|true\" hover_enabled=\"0\" sticky_enabled=\"0\"]

During\u00a0<\/span>penetration tests<\/a>\u00a0our\u00a0<\/span>security analysts<\/a>\u00a0repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 1: Cross-site scripting<\/span><\/p>\n

<\/h3>\n

Vulnerability Background<\/h3>\n

Cross-site scripting refers to a category of vulnerabilities that allow an attacker to inject malicious JavaScript code into a web server\u2018s responses. The web browser of other users then cannot distinguish the JavaScript code inserted by the attacker from the legitimate code of the application and executes malicious scripts accordingly. This usually leads to the attacker being able to completely take over the victim\u2018s current session.<\/p>\n

<\/h3>\n

Exemplary hacker attack and its consequences<\/h3>\n

The HTTP request below shows how an attacker embeds malicious JavaScript code within an application. Now, when a victim visits the corresponding endpoint within the application, the JavaScript code is executed in his browser context. The JavaScript used in this example extracts the victim\u2019s credentials, which were stored within the browser:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/www.usd.de\/wp-content\/uploads\/01-xss-payload.png\" title_text=\"01-xss-payload\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"||0px|||\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" text_font_size=\"14px\" custom_margin=\"8px||60px|||\" hover_enabled=\"0\" sticky_enabled=\"0\"]

Figure 1: Attacker places malicious JavaScript code inside a vulnerable application<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/www.usd.de\/wp-content\/uploads\/02-xss-execution.png\" title_text=\"02-xss-execution\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"||0px|||\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" text_font_size=\"14px\" custom_margin=\"8px||60px|||\" hover_enabled=\"0\" sticky_enabled=\"0\"]

Figure 2: A user visits the vulnerable page \u2013 their credentials are extracted<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]

 <\/p>\n

While the victim\u2018s credentials were displayed here for better visibility, a real attack would take place without any traces visible to the victim. Instead of being displayed on screen, the accessed data would have been sent over the network to a server controlled by the attacker.<\/p>\n

 <\/p>\n

<\/h3>\n

Recommended measures<\/h3>\n

User-controlled input should always be considered potentially dangerous and should never be embedded within server responses without sufficient filtering and encoding. Appropriate functions for filtering and encoding input are available in all common programming languages. The correct use of frameworks and regular training of developers are important measures to prevent cross-site scripting vulnerabilities.<\/p>\n

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions.\u00a0<\/span>Feel free to contact us<\/a>.<\/span><\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"100%\" custom_margin=\"||||false\" custom_padding=\"61px||46px||false|false\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_divider color=\"#d6d6d6\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"-1px||1px||false|false\" custom_padding=\"||0px|||\"][\/et_pb_divider][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"2_5,3_5\" _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"100%\" custom_margin=\"||0px||false|false\" custom_padding=\"1px||||false|false\"][et_pb_column type=\"2_5\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_image src=\"https:\/\/www.usd.de\/wp-content\/uploads\/icon-dokument-orange-040.png\" title_text=\"icon-dokument-orange-040\" _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"18%\" module_alignment=\"center\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_5\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]Read more about our top 5 \u00a0most notable vulnerabilities and other exciting topics in our\u00a0<\/span>2020 Annual Report<\/a>.<\/span>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]\n\n","protected":false},"excerpt":{"rendered":"

During\u00a0penetration tests\u00a0our\u00a0security analysts\u00a0repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 1: Cross-site scripting Vulnerability Background Cross-site […]<\/p>\n","protected":false},"author":96,"featured_media":8770,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[373,374],"tags":[376,377,378,379],"class_list":["post-8769","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-en","category-pentests-security-analyses-en","tag-cross-site-scripting-en","tag-penetrationstest-en","tag-pentest-en","tag-sicherheit-von-anwendungen-en"],"_links":{"self":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/8769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/comments?post=8769"}],"version-history":[{"count":0,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/8769\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media\/8770"}],"wp:attachment":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media?parent=8769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/categories?post=8769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/tags?post=8769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}