Cross Site Scripting (XSS)

What is cross-site scripting?
Cross-site scripting(XSS) is a type of computer security vulnerability typically found in web applications.
XSS attacks enable attackers to inject client-side scripts into webpages viewed by visitors. this vulnerability enable attackers to inject client-side scripts into webpages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting are carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007.

What are types of cross-site scripting?
·       Reflected XSS: it is the most basic web vulnerability which is most commonly in HTTP query parameters which is used immediately by server-side scripts to parse and display a page of results for and to the visitor. A classic example of potential site is search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response doesn’t properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.
Reflected attack is typically delivered via email or a neutral website the bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause victim’s browser to execute the injected script.

·       Stored XSS: It is a more complicating type of cross site scripting vulnerability which occurs when the data provided by the attacker is saved by the server, and then permanently displayed on “normal” pages returned to other users in the course of regular browsing,   without HTML escaping. an example of this is online message boards where users are allowed to post HTML formatted messages for other users to read. Suppose there is a hotel reservation website where members sees the perfect hotel to book for their vacation but for privacy reasons the site hide everybody’s real name and email, suppose attacker visits also this website and want to discover what the real name and email of the visitor to do so the attacker writes script designed to run from visitors’ web browser when they visit their profile. The script then sends a quick message to his server which collects this information.

How do I prevent my web application/site to have this vulnerability?

Context Encoding/Decoding: This is the primary defense mechanism that should be used to stop XSS attacks. There are several escaping methodologies that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding. Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner.

Safely validating untrusted HTML input: by accepting only certain characters in user input this to ensure there is no XSS code injected inside user input code

Scripts: Content Security Policy(CSP) allows HTML documents to opt-into disabling some scripts while leaving others enabled. The browser checks each script against a policy before deciding whether to run it or not.

stay safe with Tech4allgeeks
For more blogs you can subscribe in the email box at right or you could follow us on facebook
stay tuned for more, have a nice day 😊

Author Image

About Author
Hisham Elreedy is Digital Electronics Engineer, Graphics Designer, Blogger, Youtuber. Inspired to teach all he knows from his experience in studying undergraduate engineering by creating useful posts

Post a Comment