Malware Detection—Discovering Cross-Site Scripting Attacks
Nearly everyone has at some point had their web browser pop up a message that says something like “Your PC is Infected . . . Click Here to remove the virus”. That message is likely the result of a cross-site scripting (XSS) attack, and clicking on the link will connect to a site that installs malware, or encourages the victim to pay for fraudulent virus removal services.
The above example is just one form of XSS attack. In reality, there are numerous types of XSS attacks and cybercriminals frequently use them to commit their crimes. They pose a major challenge for malware detection systems.
Fortunately, new technologies can identify XSS attacks and the infections they cause.
What is a Cross Site Scripting Attack?
Cross-Site Scripting (XSS) attacks are a type of injection attack where cybercriminals deliver malicious script or code to a client browser, often via a vulnerable web application. In this type of attack, cybercriminals trick users’ browser into executing malicious code. A classic example is causing a browser to display a popup with a link to a website that installs malware. In other cases, an XSS attack will cause a victim’s browser to send confidential data or cookies containing login credentials to the attacker.
Three Types of XSS Attacks
There are three types of XSS attacks, and it’s important for anyone responsible or engaged in cybersecurity to have at least a high-level knowledge of how each of them works.
Persistent (or stored) XSS Attack
This occurs when a website actually stores the payload, as in the example provided earlier where an attacker enters a comment that contains a malicious script and it resides on the website. Any browser that loads the page containing the comment will execute the script and risk infection.
Reflected (Non-Persistent) XSS Attack
In this type of XSS attack, the victim is typically tricked into opening a link that has a malicious but obscured script appended to the end of the URL. When the victim’s browser executes the link, the target website echoes or reflects the script back to the user’s browser, typically in the form of an error message, response field, or search result. When the victim’s browser receives this reflected script, it executes it on the victim’s device.
Document Object Module (DOM)-Based XSS Attack
As web applications gain in sophistication, web designers have shifted more and more of the processing to the user’s browser. When a user connects to a website, it’s common for their browser to generate some of the code that it will execute.
In a DOM-based XSS attack, cybercriminals pollute a browser’s data or environment in such a way that the code it generates is malicious. A browser’s data set or environment is called a DOM (Document Object Module), and contains, among other things, data that has been input by the user (i.e. name, address or other information). The browser uses the data within the DOM to generate the code it will execute. In a DOM-based XSS attack, malicious scripts are injected into the DOM, resulting in the creation and execution of malicious code.
Attackers corrupt the DOM by crafting a malicious URL. The attacker appends a type of script to the end of the URL that is not sent to the server but processed by the browser itself. When a user clicks on the malicious URL, the browser loads the script into the DOM where it becomes part of the code the browser generates.
A key differentiator between DOM-based and other XSS attacks is that in a DOM-based attack the malicious code never touches, nor is transmitted to or from the webserver. This has a number of ramifications, one being that a DOM-based XSS attack cannot be stopped by server-side controls or filters.
Why XSS Attacks Are So Dangerous
XSS attacks have been around for many years, but they are still a major concern, so much so that OWASP, a well-known index of web application vulnerabilities, lists XSS attacks as one of the Top 10 Most Critical Web Application Security Risks. XSS attacks accounted for nearly half of all web-based exploits last year according to WhiteHat Security’s 2016 Web Applications Security Statistics Report.
Unfortunately, XSS attacks are not going away anytime soon because they are easy for cybercriminals to design and execute, and because so many websites are vulnerable to this type of attack. Research from Acunetix found that 33% of all websites have XSS vulnerabilities and are subject to attack. Snyk, a provider of vulnerability scanning products, believes the number is even higher, reporting that roughly 50% of the world’s websites have XSS vulnerabilities and are subject to attack.
XSS attacks create the ideal environment for attackers to escalate an initial foothold to a more extensive and damaging intrusion. With social engineering and the browser capabilities listed above, cybercriminals can use an XSS attack to execute sophisticated operations including cookie theft, keylogging, user impersonation, session hijacking, data theft, and many other malicious activities.
Most Malware Detection Systems Struggle to Spot XSS Attacks
While determining if a web application is susceptible to an XSS attack is relatively straightforward, detecting when an XSS attack is currently occurring is a great deal more difficult.
Most malware detection systems rely on the process of scanning files for malware attack signatures. In those cases where the malicious code resides on the webserver, as in persistent XSS attacks, signature-based products can evaluate a webpage and detect known attacks. But most systems will not detect new malware because it won’t have an attack signature. Reflective and DOM-based XSS attacks are a greater challenge because the malware is never stored on the webserver. There is nothing on the server for signature-based products to analyze, therefore they are ineffective against reflective and DOM-based XSS attacks.
Effective Detection of XSS Attacks
To minimize XSS attacks, organizations need to evaluate their web application code and remove XSS vulnerabilities. But they must also implement security tools that will detect XSS attacks. That requires advanced products that go beyond analyzing files for attack signatures to monitoring network traffic for code injection.
To effectively detect all three types of XSS attacks (persistent, reflective, and DOM-based), organizations need a comprehensive solution that is capable of:
- Evaluating any object that a browser may open, or that may launch a browser. This includes email messages, attachments, downloads, webpages, and any other document that contains HTML links. See Lastline’s blog Top 10 Malicious Email Threats for more information.
- Rapid static analysis of each object, evaluating them for malicious capabilities and links, known attack signatures, structural deviations, and other anomalies. For more information about malicious links, see Lastline’s blog Protection from Malicious Links.
- Performing full behavioral analysis by completely executing each object and testing it for evasion techniques and malicious actions. See Machine Learning is Transforming Malware Detection to learn more.
- Network monitoring for activity created by malware operating on a network, such as code injection, malware communicating with command and control servers, and other anomalous activity.
XSS attacks are a constant problem that organizations must address, both at the vulnerability level and at an actual attack level. While the security industry has given a lot of attention to finding and correcting XSS vulnerabilities in web code, they haven’t done nearly as much to detect an actual XSS attack.
This lack of effective solutions is due in part, to the difficulty in detecting the various types of XSS attacks and infections. Known persistent XSS infections are relatively easy to detect. But unknown infections and non-persistent infections (both reflective and DOM-based) are difficult or even impossible for most malware detection systems to identify.
Fortunately, tools have emerged during the last few years that have the necessary capabilities and therefore can detect all three types of XSS attacks.