Cybersecurity: What is XSS?

With the ransomware attack on the NHS dominating the news headlines this week, here’s – at last – some good news related to cyber security.

Back in February I launched a Bug Bounty competition to encourage school students to responsibly disclose any bugs, vulnerabilities or problems with the site rather than maliciously exploit them.

What is XSS?
What is XSS?

I’m not able to afford the hefty cash prizes offered by some tech firms when people disclose a bug, but I do always send out some freebies to reward anyone who finds and reports a problem with the site, along with a certificate, as a mark of respect which can hopefully help kickstart a future career in information security.

Today, a talented young student from Fulford School has submitted a bug report identifying a XSS vulnerability in create.withcode.uk. This responsible disclosure has led to the bug being fixed without any damage done. Thank you!

For those that are interested, I thought I’d write up what a XSS attack is; what damage they can do; how they work and how you can prevent them from causing any damage on your website.

What is XSS?

XSS stands for Cross Site Scripting.

Scripting means running code.

Cross site means tricking one website into running some code (usually javascript) that isn’t hosted on that server. Either the code is loaded from another server or entered directly by the attacker.

What are the dangers?

If a website is vulnerable to a XSS attack, it means that someone can trick your browser into running some javascript code that could potentially cause some significant problems.

Javascript code, by design, can’t access your files and folders, so it can’t infect your computer with a virus directly, but XSS code could potentially cause any of the following to happen:

  • Read personal information stored in site cookies (such as name, username or site preferences)
  • Steal your authentication token (to allow someone else to login as you)
  • Hijack your user account (e.g. to post a message as you on that site)
  • To redirect you to another website (e.g. to display adverts)
  • Alter the functionality of the site (e.g. to add / remove / change site features)
  • Use your computer to take part in a DoS or DDoS attack (to overwhelm a web server with too much traffic that it becomes unusable)

create.withcode.uk is deliberately designed not to store any personal data or have user accounts so none of the above were a serious concern, but it’s never good to leave a vulnerability open once it’s been discovered.

How does XSS work?

Example XSS attack: changing editor code
Example XSS attack: changing the text in the code editor

Any website that allows the user to type in user data is potentially vulnerable. That means any website that has a text box for user input, or accepts any input from a file, cookie, URL parameter similar could potentially be compromised by a XSS attack.

XSS attacks work by tricking the browser into injecting some javascript code into the web page so that it runs.

For example, a webpage that asks someone their name then says a personalised hello could be attacked if someone enters their name as <script>alert(“do something nasty here”);</script>

How can you prevent XSS attacks?

The trick to preventing XSS is to filter out any <script> tags (or other similarly dangerous tags) by filtering any user input to blacklist anything that looks suspicious or whitelist only the type of data that you know you can trust

Blacklist: A list of data that you want to prevent

Whitelist: A list of data that you want to allow

The most common way to do this is using a RegEx (Regular Expression) on anything that you display in the browser that you don’t fully trust. A RegEx lets you search for data so that you can remove it or replace it with whatever you choose.

A good web designer shouldn’t trust any data that comes from an external source (another server / user) and so they should assume that any way of entering in data might be a possible source of malicious code to be filtered appropriately.

You can experiment with the algorithm I’ve used to filter out any XSS attacks here. If you can find a XSS attack vector that gets through the filter, please let me know and claim your own bug bounty!

XSS attack vector: text, html or user input deliberately designed to execute code on a web page

Example XSS attack

The student who detected the vulnerability in create.withcode.uk realised that whilst most user input was correctly filtered, error messages were not properly filtered and so were a potential avenue for a XSS attack. He demonstrated how this could be used to:

Example XSS attack: replaced all toolbar images
Example XSS attack: replaced all toolbar images with green smiley faces
  • Change all of the toolbar images at the bottom of the site
  • Embed a game into the site
  • Change the text in the editor
  • Redirect the user to a random python script

This vulnerability has not caused any data on the site to be compromised (create.withcode.uk doesn’t store any user details) but it has now been fixed thanks to the responsible disclosure. I’ll send out a small reward tomorrow to the student in question and hope that they continue to develop and use their skill to do the right thing both legally and morally!

We certainly need more people willing and able to find and help fix vulnerabilities in computer software.

The wrong thing to do would have been to maliciously exploit the vulnerability to cause damage. The right thing to do was to share the discovery sensibly so that it can be fixed. This is exactly what the student in question did. Well done 🙂

Report a bug

If you think you can find a bug in create.withcode.uk I’d love to hear from you.

You can report a bug here in return for a small reward, certificate and my respect & gratitude!

Reporting bugs responsibly helps keep websites secure and is a great way to gain experience in the field of information security.

In the meantime, I hope create.withcode.uk continues to be a useful – and safe – resource to anyone wanting to write, run, debug and share python code in your browser.