Web pages are composed of a variety of different types of content. HTML is the skeleton of the webpage, defining the text and the page’s overall structure. CSS acts as the skin, allowing the web developer to control how the web page looks. Finally, a web page can include scripts, which enable animation and user interaction. While it is possible to exploit the other parts of web pages, the script contained within a web page is the most dangerous. Since the script is executable code, legitimate scripts may contain exploitable vulnerabilities, and attacker-generated scripts can allow malicious code to be run within a user’s browser.
One threat to website security associated with the inclusion of scripts within web pages is cross-site scripting (XSS). A cross-site scripting attack occurs when an attacker manages to get their malicious code embedded in a web page and executed within a user’s browser.
Google recently fixed an XSS vulnerability in Gmail, reported to them by an ethical hacker, that the internal security team described as “awesome”. This vulnerability was in AMP4Email, which enables dynamic email and has since been patched, enabling the discoverer to publish the details.
A Quick Introduction to XSS
The rules governing how web pages are put together give developers a few options regarding how they organize the code that creates their page. One option is to have separate files for each type of code or even multiple files per type. In this case, the main HTML page will import the content of associated CSS and script files. This is a great choice when the same style sheet (CSS) file may be applied across the organization’s web presence.
The other option is to embed all of the page’s content in the same file. This is possible because the HTML standard includes tags for indicating that a chunk of content should be interpreted as CSS or as code in one of the available scripting languages. Cross-site scripting attacks take advantage of the ability to mix different types of content within a webpage. It is not uncommon for pages to print user-provided content to a page, whether in a “Hello Name” header near the top of the page or in user comments.
This user-controlled data is embedded within the HTML code of the webpage, which creates an opportunity for an attacker. If they can have part of their input interpreted as script code within the proper HTML tags, the page will run their code when loading.
Cybercriminals take advantage of XSS attacks in a variety of different ways. Many payment card skimmers (like Magecart) are implemented as XSS attacks, where the attacker gets their code embedded on a legitimate page in some way. Other attacks may use phishing emails with URLs containing script code that a vulnerable site will embed in the page before presenting it to the user.
The Gmail XSS Vulnerability
Google recently fixed an XSS vulnerability in Gmail. The vulnerability was in AMP4Email, which is designed to enable dynamic content in the email. The
This article was written by Editorial Staff and originally published on WPArena.