Cross Site Scripting Prevention
How to Prevent XSS Attacks
TABLE OF CONTENT
- What is Cross-Site Scripting?
- How Does XSS Work?
- What is XXS Attack with Example
- DOM-based Cross-Site Scripting
- Reflected Cross-Site Scripting
- Stored Cross-Site Scripting
- Cross Site Scripting Vulnerabilities
- How to Prevent Cross-Site Scripting
- XSS Prevention Tactic 1 – Escaping
- Input Validation
- Tips for Mitigating XSS
- Mitigating XSS Risks from An Organizational Perspective
- Mitigating XSS Risks from A Developer Perspective
- Mitigating XSS Risks from A User Perspective
- Cross-Site Scripting Vs. Cross-Site Request Forgery (XSS / XSRF)
- Cross-Site Scripting Summary
Also referred to as XSS, cross-site scripting is a code injection attack on the client-side. When an XSS attack occurs, the intruder will execute malicious scripts or a malicious payload into what is otherwise seen as a legitimate web application or website.
A cross-site scripting attack is considered to be one of the most raging of web application vulnerabilities. An XSS attack takes place when a particular web application uses either an unencoded or unvalidated user input within the generated output.
By using cross-site scripting, there is no individual that is directly being targeted. Instead, the XSS injection will seek to exploit a web application or website vulnerability. This site will then become the host and any victim that visits the site or app will have malicious scripts delivered to their browser.
— technicalahmer (@technicalahmer) November 5, 2018
In a nutshell, this is how an XSS attack works. XSS vulnerabilities leave application and website owners open to a cross-site scripting attack that impacts their customers, suppliers, and anyone who may potentially access their website or web application.
When we talk about application vulnerabilities, there is a range of categories of vulnerabilities that we encounter. Some of these are quite common and allow for only a very limited amount of damage should the XSS vulnerability be exploited. However, in some instances, the impact of an XSS attack can have significant and lasting damage on the organization that falls victim to the XSS attack. With a cross-site scripting attack, the worst-case scenario is that not only is this becoming a more common type of attack, it also has the distinct ability to be considered exceptionally damaging, in terms of the impact it can have. For many XSS attacks that are carried out by the right attacker at the right time.
Some of the largest applications across the globe have not been able to prevent an XSS attack. Names such as Google, Facebook, and PayPal have all fallen victim at one point or another in their past.
The OWASP Top Ten List has consistently featured XSS vulnerabilities. One of the reasons for this is down to the fact that when an XSS exploitation occurs, the attacker is then given the ability to take any action that the ‘normal’ user can do. This may include viewing account or financial information, payment information, passwords and more.
A cross-site scripting attack has two victims. The individual user and the application owner. The most worrying element of an XSS attack is that in most cases, neither party are aware that a cross-site scripting attack has occurred.
Essentially, a cross-site scripting attack fools the web application or the website into transmitting a type of script via the browser that is malicious. The browser believes that the request is authentic and that it is coming from a trusted website. On every occasion that an individual user accesses the page that is impacted, their web browser will then download and execute the malicious script. It is important to note that the user will simply see their ‘normal’ webpage appearing and to them, nothing appears wrong.
Preventing XSS attacks is difficult because there are many vectors where an XSS attack by used in multiple apps and websites. When compared with other types of attacks, such as an OS Command Injection or an SQL Injection, a cross-site scripting attack will typically only impact the users of the website, which in essence, can make them more challenging to catch and even tougher to correct and fix.
At present, there is no singular strategy or standard to help organizations prevent a cross-site scripting attack.
There are three different types of cross-site scripting attacks. These are DOM-based, Reflected, and Stored. However, with the latest XSS attacks, there is a blending of these methods in order to achieve a range of malicious impacts.
DOM-based Cross-Site Scripting
This particular type of XSS attack takes place when an attack payload is executed by changing the DOM (Document Object Model). This then enables API access to the XML and HTML content of the page. With DOM-based XSS attacks, they operate differently to reflected and stored cross-site scripting attacks because the client-side script is what is actually responsible for the incorrect sanitizing of the input, rather than the server itself.
This type of XSS attack is also typically referred to as a non-persistent cross-site scripting attack. Typically, the attacker will locate a website with an input field that is vulnerable and prime to target. Normally, search, and login fields are ideal targets for this type of XSS attack. Once they have located the field, they will then create a URL that appears to come from the site. However, due to the fact that the attack is not stored, the attackers who use this method will then spread this legitimate looking URL via message boards, email, social networks and more.
This type of XSS attack is also typically referred to as a persistent cross-site scripting attack. This XSS attack will normally take place when a website or web application stored a malicious user input on a server, that then serves it back to future users without it being validated. In this type of cross-site scripting attack, the goal of the hacker is theft of data and cookies. Due to the fact that stored XSS vulnerabilities are more difficult to detect, this means that reflected cross-site scripting attacks are considered to be the most prevalent type.
Cross-site scripting attacks are considered to be the most widespread security challenge to date.
- Practice Hacking
- Network Security Engineer
- SSAE 16
- PCI Compliance
- SOC 2 Reports
- HIPAA Compliance
- API Scanner
- What is Social media Security?
- Social Media Security Tips
For many individuals and organizations alike, the development of client-server applications needs to always work on the assumption that untrusted clients could be controlled by attackers. Steps should always be taken to bridge any security flaws or gaps that would potentially allow for an untrusted input.
A cross-site scripting vulnerability can take any of the below forms:
- The theft of client data
- The theft of cookie and browser information
- The theft of personally identifiable information such as usernames, passwords, and credit card information.
- Undertaking actions on the browser of the victim while mimicking the legitimate website
- Redirection of the victim to a pre-determined site which would potentially still appear to be the legitimate site.
- The hijacking of accounts
- Installation of a cross-site scripting proxy, enabling the hacker to view and redirect user actions
- Undermining cross-site request forgery defenses
- Key-logging activities
Stopping XSS attacks is not straightforward. However, there are a few key practices you can undertake which will help you to prevent XSS and keep rogue XSS scripting out of your web applications.
The first way to can prevent cross-site scripting vulnerabilities in applications is by escaping the user input. Escaping information essentially means that you can take the information that an application has received and ensure that it is secure before rendering it to the user.
This method of escaping user input, specific characters within the information that is received by a web page is then prevented from undergoing any form of interpretation maliciously. Simply put, you are adding in an extra layer of censorship to the information that is received on your web pages. This is carried out in such a way that certain characters, such as ‘<’ & ‘>’ are not allowed to be rendered, which could otherwise cause damage to the users and/or the application.
You will need to select carefully which HTML entities you will choose to escape, and those which you will not. It is also possible in some cases to use a raw HTML replacement format such as Markdown. Doing so will enable you to continually escape all HTML.
Another method of prevention for XSS attacks is the sanitation of the user input. This is considered to be a very strong defense. However, it should not be used in isolation to stop a cross-site scripting attack. The sanitation of user input is particularly useful on websites or web application which enable the markup of HTML. This ensures that any information that is received is unable to cause harm to your database as well as other users. Essentially, by completely scrubbing the information of any markup that could be considered as harmful, and altering the format from unacceptable to acceptable.
If you proceed on the basis that any data which is untrusted should be considered as malicious, this is another way in which you can help to prevent XSS attacks. Essentially, any data that originates externally is information that you do not have complete control over. This could be data from cookies, information from web services, query strings, form information, and more.
Validating Input is specifically a process of making sure that an application is rendering the right information and also preventing any malicious information from causing damage to the users, the database, the web application or the website.
Input validation and white-listing are both typically associated with SQL injections. However, they are also able to be deployed as an effective way to prevent an XSS attack. By disallowing specific characters in the user input or blacklisting will only handle disallowing what are considered to be bad characters, white-listing will only permit characters which are known to be good and is regarded as a far better method of prevention for XSS attacks.
Because it stops users from adding special characters into the fields, input validation is particularly good for the prevention of XSS attacks. However, input validation is not to be used as a standalone or primary prevention tool for XSS alone. However, when combined with other methods, such as those listed in this guide to cross-site prevention, it can significantly help an organizations ability to protect itself, its systems, and its users from XSS attacks.
In the previous section, we talk about some of the most effective ways to prevent a cross-site scripting attack. In this part of the article, we provide some practical tips for organizations, developers, and users to follow in order to prevent them from having to experience the impact of an XSS attack.
What To Do
- Use both white and black-box testing, include a SAST solution
- Deliver continuous application security training and updates for your developers
- Implementation of a highly-secure SDLC process
What Not To Do
- Do not leave it to WAF to detect and prevent cross-site scripting attacks
- Do not forget or neglect the regular measuring, analyzing, and adaptation of any organizational application security processes
What To Do
- Escape any user-submitted outputs
- Fully validate any user-submitted inputs
- Use an Encoder Library. Microsoft AntiXSS is just one example; there are others available
- White-list all inputs and only accept excepted characters
What Not To Do
- Do not ignore any problems whereby an input via an HTTP request could find a way to the output
- Never store any passwords as cookies
What To Do
- Always deploy common sense when browsing online. Take care to only visit genuine sites.
- Make sure you are extra vigilant when it comes to links in emails from people you do not know.
- If you receive an email from a trusted organization that is unprompted or out of character, always be careful to use another form of contact by return, in order to check the validity of their communication. Call them, email them or visit their website in the normal way; Don’t click the link in the email.
What Not To Do
- Be careful of which sites you visit. If any site claims to make an outstanding or unrealistic claim, or you are not familiar with a site, do not visit it.
If you want to learn about XSRF, you can take a look at one of our previous blogs, where we have compiled a comprehensive guide to cross-site request forgery.
Using a range of different security layers, such as those outlined in the cross-site scripting prevention section of this post is a great way to control XSS attack opportunities within your web applications or on your website. However, it is important to remember that while the ways we have outlined to stop cross-site scripting attacks will currently cover the majority of XSS attack vectors, they will never cover everything.
In order to find the ultimate way of preventing cross-site scripting attacks, along with many other dynamic vulnerabilities, it is also wise to deploy a blend of automated static testing and code review functions, especially during the development and testing once your web application has gone live.