Alright folks, this week we're going to walk through some of the basics of XSS attacks. First, some context. XSS stands for cross-site scripting. It's a type of 'injection' attack, in which a hacker uses input fields to inject a site with their own malicious code. This code is then loaded onto the user's browser, invoking the code and doing crimes.
These attacks can have a multitude of nefarious goals, including cookie theft, keylogging, phishing, or hijacking the user session. There are many sites that improperly utilize cookies to store user data. XSS attacks can be used to gain access to this information, allowing an ambitious hacker to gain access to a variety of tools for digital delinquency.
This diagram, borrowed from the incredible resource https://excess-xss.com/, gives us an idea of how a typical XSS attack works. First, the hacker posts their malicious script to the website, using a direct input field. This scripted comment then gets sent to the the website's database. When a user tries to access the website, this scripted comment is loaded, but the browser interprets it as legitimate code, not a comment, and the attacker can use this to gain all kinds of access to the user's information.
So what can we do to prevent these attacks? In general, responses fall into two categories: Encoding and Validation. Encoding is the practice of making sure that all data received from input fields is properly 'escaped', which means that the code is compiled to no longer resemble working code. You've probably seen this kind of escaping before, without realizing the purpose of the code. Many sites will replace HTML code with things like < and >, for instance. Validation is a way to enhance the power of encoding. Using validation techniques, we can strengthen the power of our encoding practices. Validation is going to use filtering to remove all or parts of malicious code that is submitted to the site. One way to do this is to implement a blacklist. Blacklisting creates a list of invalid input formats. This isn't always the most efficient way to censor inputs, however, as there are many workarounds to avoiding the blacklist. That's why the best practice is instead whitelisting. Whitelisting instead creates a list of accepted inputs, and only inputs that meet this format are allowed to populate the site. These are easier to enforce and maintain, as you are in total control over what can be posted to your website.
So there we have it. XSS is a pretty commonplace tactic by hackers, and so it is worth your time to protect your website with XSS protections. Utilize a mix of encoding and validation techniques in order to maximize the amount of protection coverage that you have. This will ensure that your users are protected against pesky hackers.