How to avoid Cross-Site Scripting (XSS) vulnerability in web development
Cross-site scripting is ranked 3rd in the list of OWASP top 10 vulnerabilities 2017. Cross-site scripting are one of the most rampant occurring injection attacks faced by various
web applicationacross businesses. That’s why to know the causes of XSS, its impact and prevention is must.
What is Cross-site Scripting?
Cross-site scripting attacks are types of injection, in which malicious scripts are injected into trusted web applications. This attack happens when a hacker uses web application to send infected code, many times in the form of a browser side script to the remote end user. Flaws which allow these attacks to succeed are widespread and can occur anywhere. A website uses input from a user and within an output it generates without encoding or validating it.
An attacker uses XSS to send a malicious script to victim. The end user’s browser doesn’t have any way to know the trustworthiness of the script. The user believes that the script has come from trusted source so he executes it. The malicious script in it gets all the sensitive information retained by browser like session id, tokens, cookies, etc. These kinds of scripts even rewrite the content of HTML page.
Types of XSS
Cross-site scripting has three types.
Reflected XSS: An attacker sends a link to a target application through some social media or email. This link contains an embedded script which are executed while visiting script.
Stored XSS: An attacker is able to plant a persistent script into target website which executes when anyone visits it.
DOM based: There is no need of HTTP request. The script is injected in the target site in victim’s browser after modifying a DOM and then it is executed.
Here are some findings on testing XSS on a testing web application.
- To prevent your web application from XSS, you need to separate untrusted data from active browser content.
- Positive or whitelist input validation is recommended as it helps protecting against XSS, but it cannot be said as complete defence as many web applications require special characters in their input. Such kind of validation should, validate the length, format, characters, and business rules on that data before accepting input.
- For rich content, refer auto-sanitization libraries for example OWASP’s AntiSamy.
- Refer Content Security Policy (CSP) to protect against XSS for your web application.