XSS Attacks: Best Prevention

In this post, explore the best practices for Cross-site scripting (XSS) prevention, types of attacks in modern web applications, and address commonly asked questions.

What Is Cross-Site Scripting Prevention?

A Cross-site scripting attack involves the execution of malicious code on a victim’s browser. Typically, the challenges to prevent Cross-site scripting (XSS) vulnerabilities are complex, since attacks can be orchestrated at any point in a vulnerable web application. This article explores the best practices for Cross-site scripting prevention, types of attacks in modern web applications and addresses commonly asked questions.

Before we look at those areas, here is a quick introduction to how an XSS attack is orchestrated.

In an XSS attack, the threat actor crafts a malicious script that is routed to the user, then executed by the application browser. This is usually perpetrated by the attacker using input fields to send crafted HTML/JavaScript code to a website, which gets interpreted by modern browsers of the victim. The web application includes the executed script as part of its response as if it is legitimate. As soon as this happens, the attacker has full access to all resources available for the current session, including cookies, local storage, form values, etc. In addition, the malicious user may also have complete control over the victim’s machine.

Benefits of Preventing XSS Vulnerabilities

If not detected and fixed on time, Cross-site scripting vulnerabilities can facilitate attacks detrimental to the organization. Through XSS attacks, threat actors can easily compromise how websites present content to users. Additionally, attackers can leverage XSS vulnerabilities to seize accounts, exploit user credentials, identity theft, impersonate users and escalate privileges. Other malicious actions they can undertake include uploading malware, phishing attacks, exposure of sensitive data, and orchestration of full-blown attacks.

How To Prevent XSS Attacks

Since its discovery in the late 1990s, XSS vulnerability has been considered a common attack vector widely exploited by attackers. Since there are several identified gaps in the sanitization of user input, security professionals often focus on fixing cross-site scripting vulnerabilities based on two factors:

1. Type of XSS attack carried out,
and,

2. Programming language used to develop the application.
While considering the factors, security professionals categorize XSS attacks as:
Reflected attack
Stored attack
DOM-based attack

Reflected XSS Attacks

The simplest type of XSS attack is where the application immediately processes and returns unsanitized user input in a search result, error message, or other HTTP responses. The application logic returns an unsafe input as part of the response without rendering it safely or storing data generated by users. In most reflected XSS attacks, the data provided by users never even leaves the browser.

Stored XSS Attacks

This is a persistent form of XSS that relies on the application persisting user input on the target server. Unsuspecting users then retrieve this data from the application without any sanitization or validation. Modern applications that use HTML5 allow attackers to store the malicious payload permanently on the browser, typically using HTML databases.

DOM Based XSS

The Document Object model is a platform-independent interface that defines a logical structure for accessing and manipulating documents in HTML and XML. Hackers orchestrate DOM-based XSS attacks by modifying the DOM environment on the browser so that client-side code is executed in an unsafe manner.

DOM-based vulnerabilities are advanced and challenging to fix since malicious client-side scripts do not go to the server. This makes it difficult for automatic vulnerability scanners and a Web Application Firewall to detect them since they don’t leave traces on the server logs.

Strategies for preventing XSS attacks also depend on the platform/programming language used. In the sections to follow, we will explore how to prevent XSS attacks on the following application types:

Prevent XSS in PHP

Prevent XSS in Javascript

Prevent XSS in JQuery

Preventing XSS in PHP

If a PHP application accepts HTML or JavaScript input, the web client executes remote scripts while rendering content. For instance, if the client-side includes a JavaScript file:

// http://example.com/darwin.js
("I'm executing");

And, the application directly processes a string that is parsed into it:

<?php

echo '<div>' . $_GET['input'] . '</div>';

If the GET parameter contains

<script src=”http://example.com/runme.js”> and is not sanitized, then the PHP’s script output will run the command of the darwin.js script:

<div><script >

<textarea></textarea>

function sanitizeHtml(html) {

var temp = $("<div></div>").html(window.DOMPurify.sanitize(html));

return temp.html() || "\ufeff";

}

$("#editor").kendoEditor({

tools: [

"viewHtml"

deserialization: {

custom: function(html) {

return sanitizeHtml(html);

}

serialization: {

custom: function(html) {

return sanitizeHtml(html);

}

});

var editor = $("#editor").getKendoEditor();

editor.value('<object data="PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object>');

console.log(editor.value());

Risk Levels of XSS Vulnerabilities

XSS vulnerabilities are the second most prevalent security flaw in modern applications and fall into the category of injections. They are, therefore, in the third position on the OWASP Top 10. XSS attack vectors have an exploitability factor of 3, meaning that even freely available, automated scanners can be used to detect and exploit them. The vulnerabilities also have a detectability score of 3 since they can be readily discovered, especially in mature technologies. Besides this, XSS vulnerabilities have a technical impact of 2, since reflected XSS attacks are moderate and stored XSS attacks are severe. The business impact of these attacks varies with the sensitivity of data and systems exposed.

Other XSS Prevention Measures

Some methods to prevent VSS vulnerabilities on a vulnerable application include:

Organization-Wide Awareness

The most significant threat vector for XSS attacks is the user input interface. Therefore, every user of an organization’s applications needs to understand the impact and severity of XSS attacks and avoid the pitfalls that lead to successful hacks. It is also important to disclose special characters and other methods that attackers can use to orchestrate their acts for company-wide preparedness.

User Input Validation

It is critical to ensure that user-supplied input is clean and valid. This is achieved by first using a safe transfer protocol such as HTTP or HTTPS. Developers should also set up filters to ensure that expected numeric inputs are integers. Finally, Whitelisting also ensures that the application only accepts valid characters.

Escaping/Encoding

All user data should be encoded before being committed onto a page. This involves converting non-whitelisted HTML values into entities. For example, in JavaScript, alphanumeric values are escaped using Unicode. In most applications, multiple layers of entity encoding are used to embed user input inside other functions safely.

Sanitize HTML Input

Developers should limit users from posting HTML markup whenever possible. When user input includes some HTML markup, developers should consist of functions for filtering and encoding. Another method involves using libraries that accept markdown content which is then converted to HTML on execution.

Content Security Policies (CSPs)

CSPs are considered the last resort of the XSS prevention tactic as they allow software professionals to restrict what an attacker can do once they gain control of the system. A CSP is deployed by including an HTTP response header named Content-Security-Policy and supplying a value containing the policy. The policy helps developers control various factors, such as inline script execution, object sources, and the loading of external scripts.

Frequently Asked Questions

How Do Attackers Use XSS Vulnerabilities?

Attackers insert malicious scripts through the web page using a hyperlink or a web form. Once the script is executed, attackers can hijack the session, steal sensitive data, or redirect users to malicious sites.

How Frequently Do XSS Attacks Occur?

XSS vulnerabilities are the second most prevalent issue for modern applications and are found in about two-thirds of websites. However, while attackers quickly discover these, security teams can also find them fast, reducing the frequency of attacks.

What Is the Difference Between Cross-Site Scripting and Cross-Site Request Forgery?

With XSS, the attacker uses an endpoint (browser) to send malicious content to be executed by the application. In CSRF, attackers rely on social engineering and other tactics to trick users into performing unintended actions.

How Crashtest Security Scanner Can Help You Prevent and Detect XSS Attacks Vulnerabilities

Crashtest Security Suite helps you detect threats such as XSS vulnerabilities by implementing a security vulnerability scanner that provides accurate reports and remediation advice. The continuous, automated vulnerability scanning process allows developers to save time and focus on work while it benchmarks the web app against OWASP top 10 to enhance security posture. In addition, the suite integrates with most existing development stacks and allows you to scan various web applications, JavaScript functions, and APIs in minutes.

ZippyOPS Provide consulting, implementation, and management services on DevOps, DevSecOps, Cloud, Automated Ops, Microservices, Infrastructure, and Security

Services offered by us: https://www.zippyops.com/services

Our Products: https://www.zippyops.com/products

Our Solutions: https://www.zippyops.com/solutions

For Demo, videos check out YouTube Playlist:

https://www.youtube.com/watch?v=4FYvPooN_Tg&list=PLCJ3JpanNyCfXlHahZhYgJH9-rV6ouPro

If this seems interesting, please email us at [email protected] for a call.

Relevant Blogs:

What is DevOps?

Docker build in pipeline

Terraform execution in pipeline

Zabbix Custom scripts