How passwords are stolen from the browser during XSS attacks
10:48, 09.01.2023
Security headers are one of the most important links in the chain of tools and mechanisms that protect a website from external threats. With the help of XSS attacks, attackers can steal passwords stored in the browser and then use them for their own purposes. Next, we will tell you what an XSS attack is and how you can protect yourself from it.
What is an XSS attack and how it is implemented
There is a known vulnerability called Cross Site Scripting, due to which an attacker can inject pieces of malicious HTML and JS code into the site structure. When this code is executed on the user's computer, a special window with a generated link automatically pops up. Clicking on this link, a person gets to a special site that strongly resembles the original - this is done so that the victim could not suspect anything. After the transition, scripts are launched that steal information about saved passwords from your browser.
Fraudsters can use different variants of XSS attacks, but most often they do:
- Reflected XSS – involves the implementation of certain tricks from the field of social engineering to push a person to certain actions. During such an attack, a special script is integrated into the hyperlink, which allows stealing cookies.
- Persistent XSS is a variant of a permanent attack with the introduction of malicious code on the server. The infected site will not cause any suspicion at all, but to implement this type of attack, you need to find and use a vulnerability on the site to inject malicious code in such a way that the administration representatives who maintain the site and the server could not notice anything. The infected server will automatically send the attacker the data of visitors who voluntarily pass authorization on the site.
The problem is that the implementation of an XSS attack does not require any deep knowledge in the field of hacking and social engineering, and therefore this hacking option is quite dangerous. Just because of its invisibility. However, it is quite easy to protect against it. Further we will provide recommendations both to site owners and users who want to protect themselves from such leaks.
What users should do to avoid becoming a victim of an XSS attack
First and foremost, never save important passwords in your browser. Of course, it is not very convenient to manually enter your username and password every time, but it is important if you want to protect yourself from intruders. You can store passwords in the browser only for those sites and accounts that will not harm you even in case of hacking. But the data for payment systems, banks, accounts in social networks – it is better to store it somewhere else.
In addition, when visiting sites, you should be careful – if you notice any suspicious activity on the site in the form of intrusive pop-ups, refrain from clicking on the link provided.
What website owners should do to protect themselves from XSS attacks
First of all, you need to enable the X-XSS-Protection header, which is needed to filter cross-site scripting. After its activation, the execution of the <script> tag in the page URL will become impossible.
To enable XSS filtering, open the .htaccess file in edit mode and add the following lines:
<ifModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
This works for the Apache web server. If you have Nginx, then you need to open the nginx.conf file and add the following to the HTTP section:
add_header X-XSS-Protection "1; mode=block";
It also happens that when renting a VPS, the user does not have access to the configuration files. In this case, you can resort to the PHP function:
<?php header("X-XSS-Protection: 1; mode=block"); ?>
Or ask the hoster to make the necessary changes to the configurations. In any case, there are enough options to activate XSS filtering.
Recommendations on how to protect yourself from XSS attacks
Finally, we list the main tips that will also be useful:
- Check your website at least once a month for vulnerabilities and fix them if possible. It is extremely important to ensure the correct and secure processing of all information that comes to the server from the outside.
- If the site is self-written, be sure to use the function of converting program characters and escaping single quotes in the JS code.
- Regularly update the site software, especially the CMS and all installed plugins. Updating is not so much about some new features as about security. Very often developers identify some critical vulnerabilities and quickly eliminate them. It is best, if possible, to enable automatic server updates.
- Use a firewall, it can be activated using special plugins.
- Protect your website and user data with SSL data encryption.
- Take care of setting up the content security policy. This code snippet is designed to separate content into groups with different permissions.
If you have any questions, please contact HostZealot specialists. Our staff will help you solve issues related to the security of the site and data on the server.