3 Malicious Cross-Site Scripting Attacks of the Last Decade
Cross-site scripting (or XSS) ranks seventh in the top ten on OWASP, the industry-recognized standard document listing the most critical cybersecurity risks.
The OWASP Foundation recommends that organizations use this document to understand the most common security vulnerabilities and how to mitigate them in their web applications.
This means that cross-site scripting (or XSS) is one of the most common errors that cybercriminals collect to infiltrate corporate networks or systems. And history proves it: attackers have exploited this vulnerability in multiple cyberattacks and harmed millions of these organizations, and these organizations in turn spend huge amounts of money trying to stop these attackers.
For this reason, it is important for security professionals to understand scripting on different websites and assess their security posture. Let's look at an example of a cross-site scripting attack to understand how this attack was planned and to understand the consequences of this vulnerability.
British Airways
British Airways – Britain’s second-largest airline – was hit with a data breach in 2018. The breach affected 380,000 booking transactions between August and September 2018. Fortunately, the plane was intercepted by researchers at RiskIQ, which British Airways is now patching.
The breach is believed to be linked to Magecart, a hacking group known for using card skimming techniques to obtain sensitive credit card information from unsecured payment pages on popular websites. The skimming process is at work in this attack, exploiting a cross-site scripting vulnerability using a malicious JavaScript library called Feedify. Surprisingly, this approach has also been used by attackers to harass Ticketmaster.
In this attack, the JavaScript file was modified so that the customer’s data was written and sent to the attack server (baways.com to avoid suspicion) when the user submitted the form. Attackers are smart enough to even purchase a security certificate (SSL) for their malicious server so that the entire website appears safe to web browsers and users. This leaves no doubt that users are suspicious of the website when they make payments and have lost their credit card details.
Fortnite
Fortnite - Epic Games' popular online video game - was the subject of an attack that resulted in a data breach in January 2019. The problem is a taken down and unsecured website with a malicious script vulnerability that gives hackers unrestricted access to up to 200 million users. The attackers' potential goals are to steal the game's virtual currency and record players' conversations. This can provide a lot of useful information for your future attacks.
Fortnite has become a prime target for cybercriminals due to its popularity. In 2018-2019, Fortnite was nominated for 35 gaming awards and won 19 titles, including "Esports Game of the Year", "Best Multiplayer/Competitive Game", and "Online Game of the Year". Statista reports that Fortnite had 350 million registered users as of May 2020, making it a lucrative target for hackers.
A particular issue with this attack is the use of cross-website scripting vulnerabilities and the exploitation of unsecured unique addresses. By exploiting these two vulnerabilities, attackers can redirect players to suspicious websites where player information and/or virtual currency could be stolen. Although Check Point - a security researcher - caught this issue in January 2019 and reported to Fortnite and Fortnite patching it, there is no method to ensure that this vulnerability is no longer part of a larger cyberattack.
eBay
eBay is a well-known marketplace for buying and selling products by or for businesses and consumers. While scripting vulnerabilities have occurred several times on various websites in the past, the vulnerabilities available from December 2015 to January 2016 were very dangerous. It is dangerous because it is a simple vulnerability that can easily be assembled to wreak havoc on eBay users. And since consumers usually buy or sell products on eBay, attackers can access users' products, sell them at a discount, steal their payment information, etc.
In this vulnerability, eBay has a "URL" parameter that is used to redirect users to the correct page. However, the parameter values are not checked before being entered into the page. This makes it a security vulnerability. An attacker can use this vulnerability to insert malicious code into a page, forcing the user to execute the attacker's commands. For example, attackers may have added code to steal user credentials and destroy hacked accounts.
These are some of the most dangerous cross-site scripting attacks of the last decade. In all of the above scripting cases on different websites, the first mitigation step is to rewrite the security code from scratch. Cross-site scripting (XSS) is one of the most common vulnerabilities. For this reason, there are many code analysis tools that can be used to identify and fix vulnerabilities in the code.
Second, but more importantly, the code must always validate and validate user input - especially when data is entered into a web page in the present or in the future. The code must also restrict user input to avoid or filter special characters, or to eliminate long inputs.
