As far as application vulnerabilities are concerned, you will encounter several categories. Some of these vulnerabilities are very common and cause little to no damage if an attacker discovers and exploits them. On the other hand, there are some that are very rare but could inflict lasting and major effects on the organization behind the application that was attacked. And then, there’s the third deadly and common category, known as Cross-Site Scripting, or simply XSS. XSS is among the most common application vulnerabilities that can cause serious damages given the right attacker and the right time.
XSS vulnerabilities have become very common that they even affected applications as popular and big as Facebook, PayPal, and Google. XSS is even a mainstay of the Top 10 list of OWASP ever since its inception.
How the attack happens
XSS vulnerabilities can be very dangerous since an attacker that exploits an XSS attack could have the ability of doing everything a user can do, and seeing everything a user sees, which include financial and payment information, passwords, and so much. The worse thing is that victims, including the vulnerable application and the user, are not even aware of the attack.
Basically, an XSS attack tricks an application to send malicious script using the browser which assumes that the script comes from a trusted website. Every time the end user gets access to the affected page, the browser will then download then run the malicious script like it was a part of the page. In most XSS attacks, attackers try hijacking the session of the user through stealing the session tokens and cookies, or they can also use the chance to spread malicious JavaScript and malware.
Types of XSS attacks
It can be difficult to prevent XSS vulnerabilities mainly because there are a lot of vectors in which XSS attacks could be used in majority of applications. Aside from that, XSS can only affect the website user which makes them harder to catch, and definitely more difficult to fix. Not like SQL injection that you can eliminate with the right use of the prepared statements, there is no single strategy or standard to prevent cross-site scripting attacks.
Cross-site scripting attacks come in two primary forms. The first one is persistent or stored XSS which happens when the malicious script has been injected directly to vulnerable application. The second one is reflected XSS that involves reflecting the malicious script to the link on the page that activates the attack the moment the link is clicked.
Top 3 Ways to Prevent Cross-site Scripting (XSS) Attacks
Now that you have some basic ideas about cross-site scripting or XSS attacks, as well as the damages that they can cause on your application, the next thing you should do is to know the best ways to prevent these attacks in the first place.
-
Validating input
Any un-trusted data can be considered as malicious. Un-trusted data is something that comes from outside your system and something that you cannot control. These can include form data, data from other systems, other request headers, cookies, and anything you are unsure not to contain dangerous things.
Validating input is basically the process to ensure an application will render the right data and prevent malicious data from doing any harm to the users, database, and site. While input validation and whitelisting are typically associated with the SQL injection, they can be used as an extra method for XSS prevention.
Whereas disallowing particular predetermined characters in user input or blacklisting, it disables only known bad characters and whitelisting allows good characters that are known. It is also a better technique to prevent XSS attacks and others.
Input validation is not just good, but also helpful in preventing XSS in forms because it prevents the users from adding some characters in the fields rather than refusing requests. Nevertheless, as OWASP maintains, the input validation isn’t a primary prevention technique for the vulnerabilities including SQL and XSS injection, but rather helps to minimize the effects that an attacker discovers like vulnerability.
-
Escaping data
Another way to prevent some XSS vulnerabilities from happening in your application is through escaping user input. Data escaping basically means taking the data that an application has received and ensure it is secure before rendering it for end users.
Through escaping user input, the key characters in received data by web pages will be avoided from being interpreted maliciously. In essence, you are censoring data that your web page gets in a way that’ll disable the characters particular > and < characters from being rendered that otherwise might cause harm to users and application.
If your page does not enable users to add their own codes to the page, the golden rule is to escape any and every entity of JavaScript, URL, and HTML. But, if the web page does enable users to add rich text including post comments or on forums, you have several choices. You will have to choose which HTML entity will escape and which you will not or through using replacement format for the raw HTML including Markdown that will enable you to continue escaping HTML.
-
Sanitizing data
It is another way to prevent some XSS attacks. It’s a strong defense, but sanitizing data must not be used alone when battling with XSS attacks. It is possible that you will find the need to use 3 prevention methods in working towards a much secure application. Sanitizing data is helpful on sites that enable HTML markup to make sure that the received data would do no harm to the users and your database through scrubbing data clean from any harmful markup, which changes unacceptable user input to acceptable format.
The Bottom Line
While using the security layers like the ones mentioned above, it’s a good way to prevent most XSS attacks, it is essential to note that while those prevention methods would cover most of the XSS attack vectors, they will not cover everything. For you to be vigilant against the XSS and some debilitating and common vulnerabilities, it is crucial to use a combination of automatic static testing, code review, and dynamic testing if the app is live. Aside from that, you must use secure coding practices that would help you prevent vulnerabilities including XSS.
For the end, let’s look at the video from Surety Security Team about preventing XSS Scripting:
We hope you’ve enjoyed reading our article and hopefully learn something new and useful 🙂
Don’t forget to like and share our content!