What is cross-site scripting?
Cross-site
scripting(XSS) is a type of computer security vulnerability typically found in
web applications.
XSS attacks
enable attackers to inject client-side scripts into webpages viewed by visitors.
this vulnerability enable attackers to inject client-side scripts into webpages
viewed by other users. A cross-site scripting vulnerability may be used by
attackers to bypass access controls such as the same-origin policy. Cross-site
scripting are carried out on websites accounted for roughly 84% of all security
vulnerabilities documented by Symantec up until 2007.
What are types of cross-site scripting?
· Reflected XSS:
it is the most
basic web vulnerability which is most commonly in HTTP query parameters which
is used immediately by server-side scripts to parse and display a page of
results for and to the visitor. A classic example of potential site is search
engine: if one searches for a string, the search string will typically be
redisplayed verbatim on the result page to indicate what was searched for. If
this response doesn’t properly escape or reject HTML control characters, a
cross-site scripting flaw will ensue.
Reflected attack is typically delivered via email or a
neutral website the bait is an innocent-looking URL, pointing to a trusted site
but containing the XSS vector. If the trusted site is vulnerable to the vector,
clicking the link can cause victim’s browser to execute the injected script.
· Stored XSS: It is a more
complicating type of cross site scripting vulnerability which occurs when the
data provided by the attacker is saved by the server, and then permanently
displayed on “normal” pages returned to other users in the course of regular
browsing, without HTML escaping. an example of this is
online message boards where users are allowed to post HTML formatted messages
for other users to read. Suppose there is a hotel reservation website where members
sees the perfect hotel to book for their vacation but for privacy reasons the
site hide everybody’s real name and email, suppose attacker visits also this
website and want to discover what the real name and email of the visitor to do so
the attacker writes script designed to run from visitors’ web browser when they
visit their profile. The script then sends a quick message to his server which
collects this information.
How do I prevent my web application/site to have
this vulnerability?
Context Encoding/Decoding: This is the primary
defense mechanism that should be used to stop XSS attacks. There are several
escaping methodologies that can be used depending on where the untrusted string
needs to be placed within an HTML document including HTML entity encoding,
JavaScript escaping, CSS escaping, and URL (or percent) encoding. Most web
applications that do not need to accept rich data can use escaping to largely
eliminate the risk of XSS attacks in a fairly straightforward manner.
Safely validating untrusted HTML input: by accepting
only certain characters in user input this to ensure there is no XSS code
injected inside user input code
Scripts: Content Security Policy(CSP) allows HTML
documents to opt-into disabling some scripts while leaving others enabled. The
browser checks each script against a policy before deciding
whether to run it or not.
stay safe with Tech4allgeeks
For more blogs you can subscribe in the email box at right or
you could follow us on facebook
0 Comments