DEV Community

loading...

Discussion on: How hackers steal your keys and secrets

Collapse
brendan8c profile image
Сова

Good time people!
How me protect shape on the site?
From bots and xss..
I am frontend dev. Backend dev i don't know..

Collapse
omerxx profile image
Omer Hamerman Author

Hey!
For XSS I suggest looking in OWASP's overview and their cheat sheet. XSS has lots and lots of techniques and I'd say it's a kind of its own skill. Make sure you use the suggested headers and avoid the usual pitfalls. The risky type is usually stored XSS in cases where the stored script is visible to other users. I'd make sure I know the basics and think how my application works and whether the risk it presents is worth diving in.

E.g. if my application is a message board, and posting a message is visible to lots of my users, a stored XSS may have a more serious effect then, let's say a self reflected XSS.

If users are at risk - put your efforts there. I hope this helps

Collapse
brendan8c profile image
Сова

Thank you! Another question..
How install (AntiXSS) on my website?
Can you write how to do it step by step?

  1. Download 2. install 3. connect dependencies I have not connected this before. You have to understand this, I'm a front-end developer, it's a little difficult for me.
Thread Thread
omerxx profile image
Omer Hamerman Author

Not sure what you’re referring to but if that’s a library that helps you set different XSS features it sounds like a good idea. Regardless, I still think it’s important to learn the actual basics so you can know how and when to use it correctly. It’s also good to understand the basic important concepts to know where a layer of protection is coming short.

Thread Thread
brendan8c profile image
Сова

Yes these library (github.com/voku/anti-xss)
I don't know, how work an her..
This is hard for me

Thread Thread
omerxx profile image
Omer Hamerman Author

Hey,
Basically, this is a library that offers it's own functionality to escape special character and HTML edge cases to prevent different kinds of XSS. In regards to usage, they have pretty straightforward instructions.

Don't know whether this is the best tool for the job but I can't recommend anything else since I'm not aware of any.

It's good that you care, understand the risk, and try to prevent the damage from happening.
Good luck

Thread Thread
brendan8c profile image
Сова

Hi )
I connected everything to protection.
How can I validate the form?
I want to check whether my protection is working or not.
If I paste this into the alert (document.cookie) form it will be sent to my mail. I will not see any JavaScrip code displayed.
I need a method to test my XSS protection.
In other words, what I need to do is to make an XSS attack on my form so that I can see if my defense has worked or not.
I hope I have explained it clearly.
I am sorry my English is bad.

Thread Thread
omerxx profile image
Omer Hamerman Author

Hi,

Like I mentioned earlier, you probably want to learn the basics on your own and then validate your protection by "attacking" your own page. Here's a great video with explanations on different techniques. The guy has also a practice area where you can practice what you've learned: youtube.com/watch?v=EoaDgUgS6QA

When you protect something, be aware of what it is you are protecting from. "XSS" is a wide range of techniques that can abuse pages. If you protect from a certain technique - e.g. HTML tags, try exploiting your own form with something like <img src/onerror=alert(1)>.
Here's another cheatsheet by Portswigger where you can see an endless list of methods: portswigger.net/web-security/cross...