Cyber security has become an essential part of the digital world due to the rise in malicious attackers. Cyber security ensures to the protection of data, and systems from cyber attacks like Denial of Service attacks, Ransomware attacks, Virus attacks, etc. These attacks are possible by finding vulnerabilities in the system, network, or any software. Different types of vulnerabilities can be found in any software or system if proper security measures were not taken so we will compare the two most common vulnerabilities which are XSS and SQL Injection to understand the problem and their mitigation.
What is Cross-site Scripting(XSS)?
XSS (Cross-site scripting) can be understood as a web vulnerability that allows attackers to insert malicious JavaScript code into webpages of a vulnerable website. Once the client-side scripts are injected then the attacker can do many unethical tasks like stealing cookies, changing default settings, showing different types of popups, etc. With an XSS attack, an attacker can change the content of the website to defame it or redirect users to other websites.
Mitigation Techniques
- Each and every developer must be aware of the XSS attacks and proper training should be given before doing development work.
- Only allow trusted users’ input and set permissions for any external input through HTML.
- Use escaping libraries for using user’s input like CSS escape, URL escape, HTML escape, etc.
- To prevent cookie stealing, set the HttpOnly flag.
- Use a security scanner on regular basis for checking any new vulnerabilities.
What is SQL Injection?
SQL Injection can be understood as an attacking technique that uses SQL statements to interact with the database and make it behave abnormally. SQL statements can be injected using various fields like URLs, HTML form fields, cookies, etc. An attacker can insert malicious statements into input fields of a login form to query a database, if injected successfully then it can result in the compromise of the complete database with all the sensitive information like usernames, passwords, etc.
Mitigation Techniques
- Sanitize user input using an extra layer and check against common SQL syntax.
- Instead of raw data input, use dropdowns or checklists for input and set input character limit.
- Try to use parameterized statements and stored procedures whenever possible.
- Scan and update applications at regular intervals.
- Always use a firewall especially a web application firewall to make websites and web applications less vulnerable.
Following is a table of differences between XSS and SQL Injection:
Category | XSS | SQL Injection |
---|---|---|
Definition | It is a technique of injecting client-side scripts using JavaScript on users’ browsers to compromise the website. | It is a code injection technique that uses SQL statements for queries database in an abnormal manner to get information stored in the database. |
Vulnerability Percentage | According to OWASP reports, around 65% of websites are vulnerable to XSS attacks. | According to Invicti Security reports, around 32% of government websites are vulnerable to SQL Injection. |
Practice Websites | Google XSS Game, alert(1) to win, prompt(1) to win, etc. are some websites to practice XSS attacks. | hacksplaining.com, portswigger.net, acunetix, etc. are common SQL injection practicing websites. |
Vulnerable Object | All input fields and URLs are vulnerable objects. | URLs interacting with the database, cookies storing data, Input fields, etc. |
Language Used | It uses JavaScript to write scripts for attacking. | It uses Structured Query Language for compromising database. |
First Attack | First XSS attack happened in 1999 where attackers maliciously injected the image tags. | First SQL Injection attack was documented in 1998. |
Rating | It is the third most dangerous vulnerability. | It is the second most powerful vulnerability. |
Conclusion/Summary
In the above comparison, we found that both vulnerabilities are of high risk if found in any website or web application. It can lead to the compromise of users’ data along with sensitive information like bank accounts or health information. Hence developers must have knowledge of these vulnerabilities and implement the techniques to mitigate the attacks.