XSS, what is it and should I be concerned?

When it comes to web application security, one of the most popular buzz acronyms is XSS. XSS stands for Cross Site Scripting. You may ask, should I be concerned about XSS? Or you may be thinking, “I am no developer, why would I care what this XSS is?” The answer to those questions is a resounding yes, you should be concerned. Next time you think about installing a plugin do some research first to see if anyone has reported a XSS vulnerability or if the plugin is on a black list like WPScan’s Vulnerability Database.

Some developers are not concerned with XSS because they know that it takes a user to either stumble across a certain vulnerable page or section of your site like a vulnerable commenting system that doesn’t “Sanitize” the data input first.

A wonderful thing about WordPress is the ability to search through thousands of plugins to add functionality to your site. But sometimes certain plugins either have malicious scripts embedded in them or they are vulnerable to things like XSS attacks. For example, there could be a plugin with a XSS vulnerability that, unknowing to you, will allow a hacker to create a new admin user that has full access to do anything on your site. Red Technologies recently saw this happen to a company that had lost complete control of its site. The company was unaware for many months that a hacker was embedding malicious ads into its site.

Injection Vulnerability?

One thing to always keep in mind is to never, ever trust input data. If you are unsure what all input data consist of you can think of anything that starts outside your website that you do not have control of. This often comes from form data such, as your Contact Us form or registration forms. But it also consists of query strings, cookies, request headers and data from web services. An example of a 3rd party service would be showing your Facebook or Twitter feeds on your website.

Hackers can take advantage of these input data points and do things such as code injection, traversal of internal system directories, bad files and XSS payloads. A simple example of this would be when you leave a comment on a website, this comment is stored in the database and then loaded back when a user visits the page the comment is posted on. If there is no data input validation and sanitization of outputs or other methods for protecting against XSS, a hacker can post a malicious script into that comment form. The next time a user visits that page the browser will perform some kind of malicious action on behalf of the website. Sometimes a user doesn’t even notice something has happened. Maybe it’s stealing a user’s cookies or hijacking their session and/or sending information to the hacker’s server.

As a developer, you should always do two things when developing a plugin, theme or any other type of web functionality that requires data inputs. Always validate your data inputs–both client side and server side. NEVER EVER just do client-side validation and forget about doing server-side validation, as well. You can get away with just doing server-side validation, but keep in mind that it can degrade the user experience a bit since you have to wait for the server to first validate the data inputs and return whether it is valid or not. The second thing you should always do is sanitize your data outputs. Red Technologies likes to use the Whitelist (describes what you know to be good) approach compared to the Blacklist (describes what you know to be bad) approach. We also like to use highly used and tested libraries for data sanitization. It all depends on what web application framework you are developing in. We recommend not using your own approach as we almost guarantee you will forget something.

One way you can test for a XSS vulnerability on your own site is try posting a simple short script into one of your forms, such as <script>alert(‘This is a test for XSS’)</script>. Let’s say you posted this into a form that will output the result back onto the page (example of this would be a comment system). If, when you reload the page, you get a popup that states “This is a test XSS,” then you know that form is vulnerable to XSS attack. This is only one form of XSS attack and can be considered as a server-side stored persistent vulnerability. Another one would be a reflected non-persistent vulnerability where the payload isn’t stored but echoed back to the user making you open a link to a malicious website.

Other types of XSS vulnerabilities can include client-side or DOM-based vulnerability where the malicious code isn’t stored on the server but in the browser cache or storage somehow. Or a more rare, but very dangerous, vulnerability is an infrastructure vulnerability where it could affect the client-side, server-side structure or affect the network. An example of this is that the vulnerability could possibly give a hacker a way to tamper with the network traffic and inject packets into the payload.

What can I do about XSS?

If you are a developer, we have already explained a few methods to protecting against XSS vulnerabilities including input validation–both client and server-side–as well as sanitizing outputs using a well tested and trusted library and handling the sanitization using the Whitelist method. Keep in mind that this is not the only way to protect against XSS, and this will not completely protect against XSS. Malicious users, such as hackers, are finding new ways to circumvent the most known methods to prevent XSS. All you can do is research the topic on your own and find new and improved methods for securing your website.

If you have a WordPress site, Red Technologies likes to use different security plugins designed to help protect against certain attacks like XSS. They can be a bit of a challenge to configure and, with incorrect configuration, can actually lock you out of your own site or take it down completely,  but we can always help you with securing your site by signing up for our monthly Website Security and Maintenance services.

• We will move your site to our secure hosting services, which gives you daily backups of your site in case anything is hacked, so we can quickly restore to a previous backup within minutes.
• We keep all plugins updated to the latest releases.
• We will configure a security plugin and manage all error, security and file change logs to make sure your site is secure. Some of the security plugins we configure have some great firewall functions that will help prevent some of the very vulnerabilities we mentioned above. This doesn’t mean you will be completely protected and you shouldn’t rely only on this plugin, but it will help a great deal.

Another thing Red Technologies has been doing is setting up Cloudflare accounts. Cloudflare is a big topic in itself and maybe we will put out a blog post just on Cloudflare alone, but we can give you a quick overview on what their free version can give you. They offer a great free plan that can give you a free SSL certificate to help encrypt either parts of your site like registration or login, or completely encrypting all traffic for your website. It helps improve site performance, gives you stats about your visitors and some basic security enhancements. It works by having all your traffic routed through their intelligent global network which can help block threats and limit abusive bots and crawlers to your site. This helps free up valuable server resources since they can actually prevent these abusive users, bots and crawlers from ever hitting your site.

If you have a WordPress website, we can help keep your site protected. To learn more about the WordPress Security & Maintenance Services that Red Technologies provides, visit What We Do or give us a call at 612-310-7972.

Disclaimer: We are not certified security experts. We are giving a high-level overview about web security so that you can be more informed about some of the most common security vulnerabilities to look out for when developing or finding a developer. We will also be sharing some resources to help you continue your research on web security.