Cross-Site Scripting attack and prevention
Cross-Site Scripting ( abbreviated as XSS) attack is the most common application level attack technique in which malicious scripts are injected into web pages. XSS attack can occur anywhere where a web application uses the input from a user without the output it generates without validating or encoding it. The code usually are written in Javascript but also may extend to ActiveX, VBScript, Java or any other browser supported technologies.
Unlike most attacks, which involve two parties – the attacker, and the web site (or victim client), the XSS attack involves three parties – the attacker, a client and the web site/application. The goal of the XSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site/application. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Protecting your site/application from XSS attack.
- Identify all the potential areas where untrusted inputs can enter your software. This includes parameters or arguments, cookies, enviornment variables, reverse DNS lookups, request headers, URL components, email, files, any external sytems that provides data to the site/application.
- Do not limit the data validation to client side. Remember, attacker can bypass client-side checks by modifying the values after the validation has been performed and can submit these modified values to the server. Ensure the validation is performed on the server side too.
- Use mechanisms (to provide relevant encoding, quoting and validation) that automatically enforce separation between data and code. use and specify output encoding that can be handled by the downstream component that is reading the output.
- Set HTTPOnly cookie for user's session. This HTTPOnly feature is available on most recent version of browsers. Make your user aware to use modern versions of the browsers.
- Perform input validation at well-defined interfaces within the application.
- If possible, use application firewall that can detect attack against XSS.
Cross Site Scripting is one of the most common and dangerous application level attacks that attackers use to sneak into web applications today. It is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated without the knowledge of either the client or the organization being attacked.
References: