What is XSS ?
Cross Site Scripting
lXSS is a vulnerability which when present in websites or web
applications, allows malicious users (Hackers) to insert their
lWhen this malicious code along with the original webpage gets
displayed in the web client (browsers like IE, Mozilla etc), allows
Hackers to gain greater access of that page.
XSS (-ve) effects
stealing other user’s cookies
l stealing their private information
l performing actions on behalf of other users
l redirecting to other websites
lShowing ads in hidden IFRAMES and pop-ups
Type of XSS attacks
lWhen XSS code only gets displayed in the next page to the same user
and not gets saved into persistent storage like database.
lThis type of attack is less harmful, because Hacker can see only their
own cookies and can make modifications in their own current opened
l In persistent type of XSS attack, XSS code gets saved into
persistent storage like database with other data and then it is visible
to other users also.
l This type of attack is more vulnerable, because Hacker can steal
cookies and can make modifications in the page.
DOM based attack
lDOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack
payload is executed as a result of modifying the DOM environment
in the victim s browser used by the original client side script, so that
the client side code runs in an unexpected manner.
l That is, the page itself (the HTTP response that is) does not change,
but the client side code contained in the page executes differently due
to the malicious modifications that have occurred in the DOM
Never trust the
user input data
No matter where it’s coming from (
GET, POST, COOKIE etc.
Validation at server
lBy sanitizing the input data, we can prevent the malicious
code to enter in the system.
lChecking the proper data types helps in cleaning the data.
First of all we should restrict numeric data for numeric fields and
only alphanumeric characters for text fields
lWhite lists – Allow <strong>, <em> and <br> only – Does help,
but not 100%
lBlacklists – Block <script> and other attributes such as onload,
onclick, onmouseover etc.
Validation at client side
before submitting the data to server, helps only in
usability aspect of the website.
lIt can’t provide any actual security, because user can
frameworks are available for this.
Escaping output at server
Problem characters can include < > " &.These characters can be
replaced with HTML character entities.
For example, < can be replaced with <.
5 Rules for escaping output
#1 - HTML Escape before inserting into element content
#2 - Attribute Escape before inserting into attributes
#4 - CSS Escape before inserting into style property values
#5 - URL Escape before inserting into URL attributes