Sandeep Singh
Director, Technical Services
Vulnerability Management

How a Cross-Site Scripting Vulnerability Led to Account Takeover

Ethical hacker finding XSS vulnerabilities

Cross-site scripting (XSS) is the perfect storm of vulnerabilities. It’s a web vulnerability, which means it’s found throughout one of the most common technologies. It’s very easy to introduce. It can have severe impacts for organizations. And yet, despite the known repercussions, it’s incredibly common. Fortunately, with the right solution in place, it’s also very easy to identify.

According to HackerOne’s 7th Annual Hacker Powered Security Report, XSS is the number one most common vulnerability for bug bounty and number two for pentesting. Combining the three most common types of XSS, it makes up 18% of all vulnerability types discovered on the HackerOne platform.

Despite its ubiquity as a low-hanging fruit, XSS can have significant impacts on an organization, including the release of confidential user information, the supplying of misinformation to misdirect user behavior, and negative reputational damage.

Let’s look more closely at XSS — what it is, how it’s used, and how to remediate it.

What Is Cross-Site Scripting (XSS)?

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious client-side scripts into web pages viewed by other users. An attacker can bypass access controls and impersonate users. An XSS vulnerability allows an attacker to steal session cookies, log keystrokes, extract confidential data displayed on the vulnerable site, and perform other malicious actions on end-user systems.

There are three main types: reflected, stored, and DOM-based XSS. The key differences between these three types of XSS are:

  • Reflected XSS happens when unsanitized user-supplied input is relayed back from the server but doesn't get stored on the server
  • Stored XSS occurs when user-provided data is stored on server-side without sanitization and retrieved unsafely
  • DOM-based XSS occurs when malicious user input gets processed solely on the browser before returning back to the user, without reaching the server

Common root causes for XSS attacks include:

  • Unvalidated user input that is displayed back to users
  • Improper encoding of output
  • Outdated browsers and plugins that fail to filter malicious scripts

Preventative controls can vary based on the exact use case, but here are some good places to start:

  • Input validation and output encoding
  • XSS protection software frameworks and libraries
  • Content Security Policy headers
  • Patching vulnerable web applications
  • User education against phishing.

What Industries Are Impacted By Cross-site Scripting?

XSS does not discriminate by industry. However, it is more prominent in some industries than others. The chart below illustrates the top vulnerabilities across the HackerOne platform by industry. Reflected XSS only makes up 4% of vulnerabilities identified in the Cryptocurrency and Blockchain space, yet it makes up a massive 19% in the Automotive industry. Crypto and blockchain organizations are newer, meaning they don’t use susceptible legacy software, and are technical at their core. Automotive organizations, on the other hand, aren’t primarily tech-focused, so they see more low-hanging fruit vulnerabilities that have yet to be identified and remediated by their internal security teams.

Take a look at how much of your vulnerabilities are XSS in comparison to the average for your industry.

Chart displaying how different industries are impacted by different vulnerability types


A Real-world Example of a Cross-site Scripting Vulnerability 

HackerOne’s Hacktivity resource showcases disclosed vulnerabilities on the HackerOne Platform. Check it out to see how specific weaknesses have been identified and fixed. The following cross-site scripting example demonstrates how a hacker discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover. 

Customer: Yelp
Vulnerability: Reflected XSS
Severity: High

Summary

A member of HackerOne’s community discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover. Reflected XSS was possible by manipulating an unescaped cookie value. This could be combined with a cookie parsing issue to set a persistent cross-site scripting payload. 

Screenshot summarizing the Yelp XSS vulnerability


Impact

The hacker, @lil_endian, demonstrated the possibility of complete compromise of business accounts and account takeovers of normal accounts on yelp.com. They simulated stealing login credentials on the biz.yelp.com login page using a keylogger and linking an external account to take over a victim's profile. The vulnerabilities impacted account security and could enable unauthorized access to user data, putting Yelp and its user’s data at a high risk of exploitation.

Remediation

To remediate, the code should validate and sanitize any user input before using it. Along with the Yelp team resolving the code, the hacker also recommended removing the ability to set the cookie via a query parameter also mitigates this attack vector. 

Reward

The hacker received a $6,000 bounty and gratitude from the Yelp team for helping them avoid an incident. 

“Thanks for helping keep our users safe! We hope you keep banging away on the Yelps, we'd love to see what else you find.”

Screenshot showing Yelp's gratitude to the hacker


Secure Your Organization From Cross-site Scripting With HackerOne

This is only one example of the pervasiveness and impact severity of an XSS vulnerability. HackerOne and our community of ethical hackers are the best equipped to help organizations identify and remediate XSS and other vulnerabilities, whether through bug bounty, Pentest as a Service (PTaaS), Code Security Audit, or other solutions by considering the attacker's mindset on discovering a vulnerability.

Download the 7th Annual Hacker Powered Security Report to learn more about the impact of the top 10 HackerOne vulnerabilities, or contact HackerOne to get started taking on XSS at your organization.