Cross-site scripting (or XSS) ranks seventh on the OWASP Top Ten — a standard industry-recognized document listing the most critical cybersecurity risks.

The OWASP Foundation suggests companies to adopt this document to understand the most common vulnerabilities and minimize them in their web apps.

That means cross-site scripting (or XSS) is one of the most common bugs that are harvested by cybercriminals to compromise an organization’s networks or systems. And history proves it — attackers have utilized this vulnerability in various cyberattacks, causing damages of millions to those organizations, and in turn these organizations are spending a fortune to try and stop these attackers.

That is why it is important for security professionals to understand cross-site scripting and evaluate their security posture. Let’s check examples of cross-site scripting attacks to learn how those attacks were planned and understand the consequences of this vulnerability.

British Airways

British Airways — the second-largest carrier airline in the United Kingdom — faced a data breach in 2018. The breach affected 380,000 booking transactions between August to September 2018. Thankfully, it was caught by researchers from RiskIQ who reported it to British Airways, and they patched it later.

The breach was suspected to be linked to Magecart — a hacker group popularly known for using card skimming techniques to get their hands on confidential credit card information from unsecured payment pages on popular websites. The skimming process worked in this attack by exploiting a cross-site scripting vulnerability using a malicious JavaScript library known as Feedify. Surprisingly, this approach was also utilized by attackers to compromise Ticketmaster.

In this attack, the JavaScript file was modified to record customer data and send it to the attackers’ server (“baways.com” to avoid suspicion) when the user submits the form. Its attackers were smart enough to even buy a secure certificate (SSL) for their malicious server so that the overall web page looks secure to the web browser and the user. This leaves no room for doubt for the user to not trust the web page while making the payment and losing their credit card details.

Fortnite

Fortnite — the popular online video game by Epic Games — could face an attack leading to a data breach in January 2019. The issue was a retired, unsecured web page with a dangerous cross-site scripting vulnerability that allowed attackers to get unlimited access to 200 million users. The likely purpose of attackers is stealing the game’s virtual currency and recording the players’ conversations, which may provide a treasure of useful information for their future attacks.

Fortnite had been a prime target for cybercriminals owing to its popularity. In 2018-2019, Fortnite was nominated for 35 games awards and won 19 titles including “eSports Game of the Year”, “Best Multiplayer/Competitive Game”, and “Online Game of the Year”. Statista reports that Fortnite had 350 million registered users in May 2020, which makes it a lucrative target for hackers.

In this attack, the specific issue was a combination of leveraging a cross-site scripting vulnerability and exploiting an insecure single sign-on address. Using both the vulnerabilities, attackers could redirect players to dubious web pages that could have been used to steal the players’ info and/or virtual currencies. Though Check Point — the security researchers — caught and notified this issue to Fortnite in January 2019 and Fortnite fixed it, there is no method for ensuring that this set of vulnerabilities was not already part of a major cyberattack.

eBay

eBay is a well-known marketplace for buying and selling products from or to businesses and consumers. Though it had cross-site scripting vulnerabilities many times in the past, a vulnerability present from December 2015 to January 2016 was very dangerous. It was dangerous because it was a simple vulnerability that could have been easily harvested to wreak havoc on eBay users. And since users usually buy or sell products on eBay, attackers could gain access to users’ products, sell it to them at a discount, or steal their payment details, etc.

In this vulnerability, eBay used to have a “url” parameter that is used to redirect users to the right page. However, it was not checking the parameter value before inserting it into the page, making it a vulnerability. An attacker could use this vulnerability to inject some malicious code into the page and make the user perform the attacker’s bidding. For example, an attacker may have added code to steal the user login credentials and wreak havoc on the hijacked account.

These are some of the dangerous cross-site scripting attacks of the last decade. In all the mentioned cross-site scripting cases, the first mitigative step is to write secure code from the ground up. Cross-site scripting (XSS) is one of the most common vulnerabilities, thus there are a lot of code analysis tools that help detect and fix such vulnerabilities in code.

Second but more important, the code should always validate and verify user inputs — especially if the input is going to be inserted in the web page in the present or the future. The code should also limit user inputs to avoid or filter special characters or skip long inputs.