XSS Attacks: How to Protect Yourself, Your Customers and Your Business

Tobias Schüring Updated on 23.01.2020
5 Min.
In this way, website operators and users can protect themselves from cross-site scripting attacks.
Last updated on 23.01.2020

XSS attacks are particularly devious. And especially popular with hackers. We show how you can protect yourself against the hijacking of yours site - as a website operator and as a user.

1599 WordPress - the security provider Wordfence Plugins has over 14 months analyses and the most common weakness of all were so-called XSS vulnerabilities. Almost 47 percent of the gaps found were related to cross-site scripting - XSS for short. Reason enough to take a closer look at the type of attack, where hackers infiltrate yours site with malicious code and virtually hijack it. The attackers use your blog, your shop or your company website as a vehicle for their illegal activities.

This chart shows that XSS is wordfence the most commonly found vulnerability in Plugins the XSS.
XSS is loudly wordfence the most commonly found vulnerability in Plugins XSS.

XSS vulnerabilities always become dangerous when user input is forwarded to the web server without verification, for example in contact forms or comment fields. Once successful, hackers can steal data, integrate yours site into a botnet or infect your visitors' computers. Fortunately, there are some very simple protective measures against XSS attacks.

XSS is equally relevant for visitors and site operators

It is important to understand that XSS vulnerabilities are based on WordPress sites are equally relevant for site operators and visitors. Site operators are exploited to fulfill the lower aims of hackers and site visitors are often the victims, for example by stealing data or spreading malicious code.

In principle, XSS attacks start where users send data to the web server of the site operator. Code is smuggled in at these neuralgic points, which - if the user input is not critically checked, e.g. by a firewall - can site infect it. The different types of XSS attacks are described in our article for you on the subject of WooCommerce.

Most important: Regular WordPress -Updates

The vulnerabilities used by hackers to introduce the malicious code are either in the WordPress core, in Plugins or in Themes. This is exactly why regular updating of all these components are also so important. This is because in these updates, the weaknesses that have been found to date are being corrected.

It also makes sense to regularly read the update details of the respective manufacturers to get a feeling for the security holes that are regularly closed by the updates. For the maintenance and security updates of the WordPress -Core, this information is documented for example in the WordPress -Blog. The best example is the latest security update, WordPress 4.7.5.

Firewalls and whitelists against simple XSS attacks

Another simple protective measure against XSS attacks are so-called Web application firewallsor WAF. These firewalls are the heart of great securityPlugins and are fed with the latest vulnerabilities by the respective research team of the manufacturer. A WAF is in general a procedure that Web applications from attacks via the Hypertext Transfer Protocol (HTTP) protects.

But even these protective mechanisms have their limits. This is because in some XSS attacks the attack takes place via the database. Therefore, checking user input for malicious code is one of the central security mechanisms in the fight against XSS attacks. For example, the content of comments on suspicious character strings scanned and sorted out if necessary.

The data output should also be secured

Regular updates close existing XSS security holes and firewalls and whitelists attempt to filter out malicious code before it reaches the web server and can site infect it. However, the data output should also be secured accordingly. Most programming and scripting languages, such as PHP, Perl or JavaScript, already have predefined functions for character replacement or masking. These ensure that "problematic" HTML meta characters (e.g. <, >and &) are replaced by harmless character references. This prevents the malicious code from becoming active. The code should also be protected using so-called sanitization libraries must be adjusted. This is done by installing a Plugin code on the server and integrating additional code into your page source code. The following code snippet will then add to the allowed attributes, for example:

This is what the configuration code that is needed to perform a code sanitization can look like.
This is how the code that is needed to perform a code sanitization can look like.

Programming knowledge is required to implement this. A developer or CTO, for example, can easily implement this data output protection.

A healthy degree of scepticism: How users protect themselves

But not only site operators, also site visitors are affected by XSS attacks. Many XSS attacks can already be prevented by a critical and careful handling in connection with "foreign" links. Users have the possibility, for example, NoScript Addons to use. These prevent the execution of scripts, i.e. the malicious lines of code that steal data, for example.

If you want to be on the safe side, you can also avert client-side cross-site scripting simply by turning off JavaScript support in your browser. Because is this so-called active scripting is deactivated, certain types of XSS attacks no longer stand a chance because the malicious applications are not even started. However, most modern websites then no longer "work" properly - or in the worst case, not at all. Here it is therefore necessary to weigh up the security and usability aspects.

This is how you deactivate JavaScript with one click in the settings of the Chrome browser.
This is how you deactivate JavaScript with one click in the settings of the Chrome browser.

Conclusion: XSS attacks are partly very complex, but the protection is partly quite simple

XSS poses a danger for you as a website operator as well as for your visitors and customers. Again and again weak points in Plugins or become Themes known. For example with the Plugin WP Statisticswith more than 400,000 active installations, or with WooCommerce and jetpackwith more than three million active installations each.

But if you keep yours Plugins and Themes up-to-date and use a WAF, you have already taken a big step in the right direction. If you also use whitelists for incoming and outgoing code, you've already secured yourssite . However, the last two measures in particular are not easy to implement without programming skills.

Compared to the rather primitive Brute Force Attacks the more complex XSS attacks are unfortunately still relatively often successful. However, there are significantly fewer of these so-called complex attacks than there are Brute Force Attacks on WordPress sites gives. Nevertheless, you should make it as difficult as possible for attackers. Because a successful hack not only costs time and money for removing the scripts, but can also endanger your position in search engines.

Maybe you have already had experience with XSS attacks? What are you doing to protect yourself from this?

Related articles

Comments on this article

Write a comment

Your email address will not be published. Required fields are marked with * .