WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
Cross site scripting
1.
2. What is cross-site scripting?
• Cross-Site Scripting (referred to as XSS) is a type of web application attack where
malicious client-side script is injected into the application output and
subsequently executed by the user’s browser
• An attacker can use XSS to send a malicious script to an unsuspecting user. The
end user’s browser has no way to know that the script should not be trusted, and
will execute the script. Because it thinks the script came from a trusted source
3. Why should I care about cross-site scripting?
• The consequences of what an attacker can do with the ability to
execute JavaScript on a web page may not immediately stand out,
especially since browsers run JavaScript in a very tightly controlled
environment and that JavaScript has limited access to the user’s
operating system and the user’s files.
4. Who’s affected by cross-site scripting?
• Everyone. No, really – almost every site you can think of has had XSS
problems at one time or another (and probably still does) :
• Universal XSS in Internet Explorer (2015) [1]
• Tweetdeck (2014) [2]
• PayPal (2013) – BONUS: discovered by a 17 year old kid [3]
• Google Finance (2013) [4]
• 25 “Verasign-secured” online stores (2012) [5]
• McAfee (2011) [6]
• Visa (2010) [7]
6. Type of XSS :
• XSS can be used in a range of ways to cause serious problems.
1 : Stored XSS :
The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks
involves an attacker injecting a script (referred to as the payload) that is permanently
stored (persisted) on the target application.
2 : Reflected XSS:
The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS,
the attacker’s payload script has to be part of the request which is sent to the web
server and reflected back in such a way that the HTTP response includes the payload
from the HTTP request
3 : DOM-based XSS:
DOM-based XSS is an advanced type of XSS attack which is made possible when the
web application’s client side scripts write user provided data to the Document Object
Model (DOM)
12. Methods of preventing XSS
• Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your
XSS filter. See encoding below:
• & –> &
• < –> <
• > –> >
• ” –> "
• ‘ –> '
• / –> /
• Validation : which filters the user input so that the browser interprets it as
code without malicious commands
13. Open Source Libraries for Preventing XSS Attacks
• PHP AntiXSS : his is a nice PHP library that can help developers add
an extra layer of protection from cross-site scripting vulnerabilities.
• xss_clean.php filter : This is a strong XSS filter that cleans various
URF encodings and nested exploits.
• HTML Purifier : This is a standard HTML filtering library written in
PHP. It removes all malicious code from the input and protects the
website from XSS attack. It is also available as a plug-in for most PHP
frameworks.
• XSS Prevention Rules by OWASP