XSS attacks, in essence, trick an application into sending malicious script through the browser, which believes the script is coming from the trusted website.Each time an end user accesses the affected page, their browser will download and run the malicious script as if it was part of the page.In the majority of XSS attacks, the attacker will try to hijack the user's session by stealing their cookies and session tokens, or will use the opportunity to spread malware and malicious JavaScript.
XSS vulnerability are difficult to prevent simply because there are many vectors where an XSS attack can be used in most applications.In addition, whereas other vulnerabilities, such as SQL injection or OS command injection, XSS only affects the user of the website, making them more difficult to catch even harder to fix.Also unlike SQL injection, which can be eliminated with the proper use of prepared statements, there's no single standard or strategy to preventing cross-site scripting attacks.
There are two main of cross-site scripting attacks; Stored XSS, which is when malicious script is injected directly into the vulnerable application, and reflected XSS, which involves 'reflecting' malicious script into a link on page, which will active the attack once the link has been clicked.
Preventing XSS: 3 Ways to Keep Cross-Site Scripting Out of Your Apps
1.Escaping
The first method you can and should use to prevent XSS vulnerabilities from appearing in your applications is by escaping user input.Escaping data means taking the data an application has received and ensuring its secure before rendering it for the end user.By escaping user input, key characters in the data received by a web page will be prevented from being interpreted in any malicious way.In essence, you're censoring the data your web page receives in a way that will disallow the characters especially <and> characters from being rendered, which otherwise could cause harm to the application and users.
If your page doesn't allow users to add their own code the page, a good rule of thumb is to then escape any and all HTML,URL, and JavaScript entities.However, if your web page does allow users to add rich text, such as on forums or post comment, you have a few choices.You'll either need to carefully choose which HTML entities you will escape and which you won't, or by using a replacement format for raw HTML such as Markdown, which will in turn allow you to continue escaping all HTML.
2.Validating Input
As Troy Hunt so eloquently puts it: “The theory goes like this: Expect any untrusted data to be malicious. What’s untrusted data? Anything that originates from outside the system and you don’t have absolute control over so that includes form data, query strings, cookies, other request headers, data from other systems (i.e. from web services) and basically anything that you can’t be 100% confident doesn’t contain evil things.”
Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site,database, and users.While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. Whereas blacklisitng, or disallowing certain, predetermined character in user input, disallows only known bad characters, whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others.
Input validation is especially helpful and good at preventing XSS in forms, as it prevents a user from adding special characters into the fields, instead refusing the request.However, as OWASP maintains, input validation is not a primary prevention method for vulnerabilities such as XSS and SQL injection, but instead helps to reduce the effects should an attacker discover such a vulnerability.
3.Sanitizing
A third way to prevent cross-site Scripting attacks is to sanitize user input.Sanitizing data is astrong defense, but should not be used alone to battle XSS attacks.Its totally possible you'll find the need to use all three methods of prevention in working towards a more secure application.Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, charging unacceptable user input to an acceptable.
No comments:
Post a Comment