In this blogpost we will cover:-
- What is Cross-site scripting?
- Types of cross-site scripting?
- How to be safe from XSS Attacks?
- Unintended script execution
- Session data exposure
- The unprecedented use of variables
- Input validation
- Unintentional user activity
Attackers leverage these vulnerabilities to engage in malicious activities. Some common attacks include cross-site scripting and Cross-Site Request Forgery (CSRF). We will be thoroughly discussing Cross-site scripting in this blog post.
Cross-site scripting (XSS) is a client-side code injection that enables attackers to embed malicious code in a legitimate web page or web application. The code can be designed for multiple reasons.
Possible effects of cross-site scripting are:
- The attacker gain control of victim’s data,
- Injection of trojan functionality into the web site.
- The attacker can compromise their interaction with the web application,
- The attacker can perform malicious actions,
- They can access the user’s geolocation, webcam, microphone, and even specific files from the user’s file system.
These are a few of the many problems which can occur.
According to OWASP( an online community dedicated to application and web security), Cross-site scripting is a very common web security vulnerability.
According to Mozilla Docs, Cross-site scripting attacks occurs when:
- The data enters a Web app through an untrusted source, which in most cases is an unauthorized web request
- Dynamic content is sent to a Web user without being validated for malicious content
We understood in a broad sense how cross-site scripting works but taking a glance on multiple ways or types of XSS is really important. XSS has been divided into 3 categories:-
Here the malicious script comes from the current HTTP request. It arises when an application receives an HTTP request that contains a malicious script.
Here is an example:
Stored attacks are those where the malicious script is stored in the target server permanently, such as in a database, input form or the form of a comment.
Consider an example of a blog page which enables readers to present their views using comments. The attacker can quickly put up a comment using an HTTP request with an injected malicious script.
DOM Based XSS is an advanced version of XSS. It happens when a web application writes data to the Document Object Model without proper sanitization. This enables attackers to execute malicious scripts, typically allowing them to engage with all data illegally.
The Document Object Model is an interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document.
As we now understand now how we can prevent getting into attacks:
XSS attacks are hard to prevent but following steps can be used to prevent getting into such attacks.
According to OWASP, there are multiple ways to prevent XSS Attacks but to summarize most of the solutions, we have to ensure all variables go through validation and are then escaped or sanitized. Any variable passed without a validation is a threat or weakness.
Output encoding refers to the encoding of the data displayed on the page. Most of the time, data from the user’s input is a potential cause for XSS attacks. The correct encoding of these user inputs, including one through the website’s URL, should be correctly encoded.
In simpler words, output encoding is the process of converting untrusted input into a safe form so it can be displayed as data without executing code in the browser.
Some examples of characters and their escaped equivalents are:
Convert & to & Convert < to < Convert > to > Convert " to " Convert ' to ' Convert / to /
Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (XX = Integer)
URLs also need to be encoded; For URLs, only parameter values are encoded, not the entire URL or path fragments of a URL. For encoding URLs for places where we use
<href> do URL encoding, followed by HTML attribute encoding (Reference, OWASP).
url = "https://site.com?data=" + urlencode(parameter) <a href='attributeEncode(url)'>link</a>
Let us understand, with an help of an example:-
An attacker attaches this script as a part of a webpage:
<script> harmfulcode </script>
The browser converts the encoded script back to this code:
The browser will show this as a part of the webpage without actually running the script
Output encoding in terms of HTML might prevent XSS but will eventually affect the styling of the page. To prevent such cases HTML sanitization is an OWASP-recommended strategy to prevent XSS.
HTML Sanitization will strip down malicious code from a variable and return a safe string.
OWASP recommends DOMPurify for HTML Sanitization. It can be used using the below code snippet-
let clean = DOMPurify.sanitize(dirty);
Input sanitization is a process to prevent malformed data from persisting in the database and triggering malfunction in the workflow of the web application.
There are two approaches to perform input validation:
There is good support for client side validation in HTML, we should always leverage the existing functionality provided by the language itself.
For example; use “required” attribute & provide type validation in any input field:
<input required name="emailAddress" id="emailAddress" type="email"/>
In the above code snippet, the input provided is required and the type given is email, preventing all such illegal inputs to be entered via the form.
Although client-side input validation works perfectly, it can be bypassed with various techniques available. When a request reaches the server, you must again ensure it is valid per the applicable rules. It can be done directly using regular expressions to validate all incoming requests. But other frameworks like Bean Validation (JSR 303) or OWASP ESAPI can also be used.
For a deeper understanding please refer to the OWASP Cheat Sheet
Cyber security is one of the concerns which is often left out even by senior engineers or experienced Developers. Cross-Site Scripting is an old but most common threat nearly to all users.
There are multiple ways we can prevent getting caught in Cross-site scripting out of which top three are:
- Output encoding
- Input Validation
- HTML Sanitization
We look forward to sharing more of our workflows in the coming days. If you have some feedback or have found this blog post of your interest, do connect with us!