XSS is one of the Deadliest Attacks the hackers do on a web application . XSS also known as Cross Site Scripting , is an attack where the attacker injects a malicious script to perform a malicious action on trusted websites . This Malicious script executes on the browser , and affects the visiting user .
XSS is quiet prevalent in the websites where the user input is not encoded or escaped .
Cross Site Scripting (XSS) is of 3 Types :
- Stored XSS
- Reflected XSS
- DOM Based XSS
For more info on XSS please refer to this Link .
XSS Prevention Cheat Sheet
XSS is best prevented while coding an Application . Here are some Prevention techniques for XSS :
- Escape all user Input and Output .
- Escape All Special Characters .
- Internet Explorer has an Attribute HTTP-Only that can be set for the cookies to prevent stealing of of cookies and avoids access to cookies by any script . This is Output Validation instead of input Validation .
- White-List input validation is an excellent strategy for the prevention of XSS . Here we define a list of Allowed input by the user . Any input which is not as per the allowed white-list (which is just the allowed regular expressions) is not taken as an input and simply rejected .
- Use of OWASP Auto-Sanitization library is highly recommended .
- To prevent XSS also use Anti-Sammy or Java HTML Sanitizer Project (also from OWASP)
- Use OWASP Content Security Policy .
- Output Validation is a must thing . Otherwise without proper escaping or validation it will be treated as an active content by the browser.
- Build a good XSS Filter .
Building A Good XSS Filter
Keep in mind that no perfect XSS Filter can be made . XSS filter is just an added layer of protection . XSS filter will help to make our Application protected from vague attacks and script kiddies .
Basic Rules For XSS Filter
- Encode every data given by the user .
- If the data is not via user and arrives by a GET request , encode this data too .
- The Following data must be properly sanitized .
- HTTP Referrer Objects : HTTP Header Field that defines the address of the webpage associated with the resource requested .
- GET Parameters from a Form .
- POST Parameters from a Form .
- Doccument.Referrer : Returns the URL of the Document that loaded the current document .
- Document.Location : Contains the information about the current URL .
- Cookie Data
- All Headers Data
- DATABASE Data
- Encode all <,>,”,’
& -> &
< -> <
> -> >
- Use of OPEN SOURCE LIBRARIES To prevent XSS :
- PHP AntiXSS : Automatically detects encoding of data that must be filtered .
- XSS_Clean.php filter : Cleans URF Encodings and Nested Exploits .(available on Github)
- HTML Purifier : HTML library written in PHP .This will remove any malicious code from the Input . Also available as a plugin in most Php Frameworks .
- XSS Protect : This Library works by creating an HTML Tag Tree of the Webpage . This will parse all the HTML Webpage and Match all the Tags . After that it will filter interface and will filter any improper HTML Attributes .
- XSS HTML Filter : This is an XSS filter for JAVA .