How Web Applications Work (What Makes XSS Vulnerabilities Possible)
Web Applications became a part of our lives. They play a key role in our everyday life on the Internet. We shop online, bank online and what not. We do almost everything on the internet. Definitely, it poses some risk to the applications from malicious users. Apart from this, it also poses risk to the users using the applications. For the exact same reasons, it is extremely important to understand the risks and protect the applications from any such attacks. This article provides an introduction to how web applications work and how Cross Site Scripting aka XSS vulnerabilities get introduced into web applications.
Web Application Architecture
Most dynamic web applications primarily consist of three components as shown below.
The following figure shows a simple dynamic web application architecture with Login workflow.
Following is a brief description of these three components.
Server: Server component processes the requests received from the client. Server component can be a web server or an app server. If it is a web server, it serves web pages in response to the client requests. In some cases, application servers might be involved in this chain to process the client requests. In such cases, the web server will just forward the requests to the application server. Just like the client side, there are several technologies used on the server side too. Apache, Nginx, IIS are some examples of popular web servers. Apache Tomcat, Oracle WebLogic, Jboss are some examples of app servers. When it comes to programming languages used to write server side programs, PHP, ASP, C#, Java and Python are some examples.
Database: Database is considered as the storage backend, which is used to save and retrieve data. MySQL, Oracle, MSSQL and PostgreSQL are some examples of commonly used relational databases. NoSQL databases such as MongoDB or CouchDB may also be used.
Let us consider the following innocent looking code snippet located within a HTML page on the client site.
var myurl = document.URL;
document.getElementById(‘srch’).innerHTML = “You’ve searched for “+unescape(myurl.substr(myurl.indexOf(“?search=”)+8));
When web applications receive user input from the users and insert it into the client side code without properly validating it, it causes Cross Site Scripting vulnerabilities. Let us consider the following feature of a shopping cart application, where a user can search for products.
Cross Site Scripting vulnerabilities are broadly categorized into 3 types as shown below.
- Reflected Cross Site Scripting
- Stored Cross Site Scripting
- DOM based Cross Site Scripting
In this article, we have discussed web application architecture and an introduction to XSS vulnerabilities. Client Side Injection vulnerabilities can be very dangerous and they cannot be underestimated. They add great risks to the applications as well as users. In the next few articles, we will discuss more cross site scripting related concepts such as their causes, exploitation techniques and mitigations.