XSS

Cross-site scripting (XSS) is a very common vulnerability that allows malicious actors to execute malicious client-side scripts within users' browsers. This client-side script execution could lead to the defacing of the website and the theft of user data, e.g. the application authorization tokens stored in cookies.

tCell's app firewall monitors for XSS attack attempts and can be used to block the attackers. The browser agent monitors the DOM of a user's browser for successful XSS attacks, and tCell uses CSP to prevent data loss (and other compromises) that may result from these attacks. tCell also notifies the designated people in an organization of the XSS event and provides them the necessary details to quickly address the vulnerability.

What is it?

An XSS attack occurs when a malicious actor injects client-side scripts and/or HTML into a web page for execution by the web browser of another user. There are three common types of XSS attacks: reflected, persistent, and DOM based.

  • A reflected XSS attack requires a user action that contains a malicious script for each execution of that script.
  • A persistent XSS attack consists of permanently adding a malicious script to the vulnerable page, and having that script load every time a user visits it.
  • A DOM based XSS attack occurs in the browser, often delivered by a malicious value in the URI fragment and does not involve the web server.

One of the most common XSS attacks, if successful, allows a malicious actor to steal a user’s application authorization tokens stored in cookies and then access the application as that user. The actor will assume that user’s privileges and will be able to act as that user, as long as that specific action does not require additional security verification, such as a two-factor key or a password.

The security best practice to avoid being vulnerable to XSS is to escape certain characters by using various character encoding techniques and by always validating input. OWASP’s XSS Prevention Sheet is a great resource to learn the fundamentals of how to prevent XSS through best coding practices.

How do malicious actors find vulnerabilities?

Most commonly, a malicious actor would use an application security scanner to scan an application for XSS vulnerabilities. The actor would also spend the time to manually discover all of the application’s parameters in the URL, header, and body, and then modify them to test for XSS vulnerabilities using techniques that are more sophisticated than the security scanner.

How tCell prevents XSS attacks

tCell protects against XSS attacks in three ways.

tCell's App Firewall running in the application or web server can detect requests being used to discover or exercise XSS vulnerabilities. This engages the suspicious actors functionality to prevent the attacker from continuing.

Content Security Policy (CSP) can be used to block loading of external resources to prevent attacks involving a load of JavaScript from other domains (to run directly or to inline). In addition, if the web web application does not require the use of inline scripts, CSP can disable support of inline scripts in the browser entirely, providing a strong protection against this class of attacks.

tCell also provides a JavaScript agent or jsagent which monitors the DOM of the user's browser to detect all inline scripts and report any that were not allowlisted as benign. Further, the tCell service can determine if the unexpected scripts are likely to represent an attack and flags them as suspected attacks, generating events in the newsfeed and alerts to configured alert targets (such as email or Slack).

CSP

Content Security Policy (CSP) is an industry-standard layer of security, driven by the W3C, that mitigates the risks of many types of content injection attacks. CSP's main focus is around preventing Cross Site Scripting (XSS) and script injection attacks through an allowlist approach. tCell gives you the tooling to set up, monitor, and enforce your CSP through advanced tooling.

CSP in tCell

tCell assists in configuring CSP through monitoring (collection of CSP violation reports) and upfront configuration. The tCell console allows you to create and configure your CSP both through the policy editor and while monitoring your app in the dashboard. Read the CSP Configuration guide for more details.

JS Agent

For inline script protection, tCell provides a JS Agent to detect unexpected scripts present in the browser DOM. We do this by automatically inserting a script into the header of each page of your application. This allows tCell to see all of the executed scripts and determine which scripts are XSS attacks. The default CSP configuration allows inline scripts to execute. The JS Agent can detect and report on malicious DOM activity that is not covered by the CSP.

Inline script events will appear in the Inline Scripts (XSS) view under the Events menu. You can add expected scripts to your policy through the Inline Scripts event view or the overall Policy editor views under Policies > JSAgent. Read the JS Agent Configuration guide for more details.