XSS – Cross Site Scripting Attack & Prevention (Basics)

Cross-site scripting is a security vulnerability associated with web applications, where an attacker injects client-side scripting (malicious) code  into server pages which is then served to another users of the web application.  XSS attack is typically focused on

• cookie hijacking/poisoning.
• user session hijacking.
• user identity theft.
• gaining free access to paid contents.
• redirecting users to another websites.
• false advertisements or defamation.

The above piece of code might break the HTML of the page and will execute the javascript code thereby passing on the cookie information to another domain.  Here the malicious code has been injected as simple ASCII character set. The same attack can be replicated by converting the malicious code to its HEX equivalent or other formats.

Non persistent XSS attack

It is one of the most common types of XSS attack. Usually in such attacks non-filtered input is used by server to generate the next page.  Since HTML has a hierarchical DOM structure, which mixes with control statements, adding unescaped user input may cause malicious code snippet.  A classic example of such attack is search engine.  If the search term is not escaped properly, an XSS attack can ensue.

Persistent XSS attack

Its a more devastating form of XSS attack because the malicious code provided by the attacker is permanently stored on the server and is used to create pages being served to other users of the targeted website.  A typical example of such attack is via message boards or forums where users are allowed to post HTML formatted messages for other users.

Prevention

The following basic methods can help you avoid the most common types of XSS attacks on your web applications.

• Output escaping – If the user content must be placed in HTML, then it must be escaped properly to HTML entity, Javascript escaping, CSS escaping or URL encoding as per the requirement. Some of the special characters which must be encoded to prevent basic XSS attacks are &, <, >, ‘, “, ;

• Validation of HTML input by user – In case where the user is allowed to input certain fixed set of HTML tags, just encoding the user input would not save you from the attack.  User input must be passed through some kind of filter which would remove all tags except the allowed ones.

• Securing the browser cookies – Browser cookie stealing / poisoning is another major security flaw introduced by XSS.  There are various ways in which such attacks can be avoided.  Usually web applications create session cookie and tie it up with the IP of the machine from where the user originally logged in. Though this is not sufficient, but prevents a major part of attack.  With new browsers being developed, a new cookie property called HTTPONLY is now available.  Setting a cookie as HTTP only disallows reading of cookies via scripting languages thus thwarting attempts of cookie stealing.

• Disabling script – Most of the common browsers allow user to disable execution of scripting language in order to enhance the security though it might disable certain functionality in web applications which are purely dependent upon execution of scripting language.  In order to avoid such situations, web applications are created in such a way that they work seamlessly even if user has disabled scripting in their browser.