Have a Question About the BreachLock Cloud Platform? Enter it below.
25 November, 2019
What is Cross-site Scripting (XSS), and how can you fix it?
What is Cross-site Scripting (XSS)?
XSS, or Cross-site scripting, is a type of attack on a web application that allows an attacker to compromise the visitors of the infected web application. By exploiting XSS vulnerability, an attacker can inject malicious scripts on a page of the infected web application. These scripts get executed when a user loads the infected page. On the BreachLock cloud platform, it is one of the most commonly identified vulnerabilities in web applications, and XSS is also listed as one of the Top 10 OWASP web application vulnerabilities.
If an XSS attack is successful, an attacker can
- Gain unauthorized access to cookies, session IDs, and passwords of a victim
- Read and access all the information displayed to a victim
- Compromise or modify the content being shared with a victim
Example of XSS Attack
Consider that your web application is based on PHP, and there is a search box. The piece of code given below is used when there is no search result, and the web application says, “Could not find any pages when searching for user_query.”
Essentially, this will output the user’s search query straight into the HTML document, and if the search query contains HTML, the user’s browser will render it.
To start with, let us consider that the attacker sends a link like the one given below to the victim via social media sites, free download websites, or phishing campaigns.
When a user clicks on this link, the search box will search for
If the web application does not have input validation, the user’s browser will render
How can it be mitigated?
Mitigating XSS vulnerabilities significantly depends upon the context, and no patch can completely deal with this issue. However, multiple steps can be taken to reduce the chances of such an attack.
Here, Bad_script is the search query of a user.
Convert the user inputs to HTML entities, for example, & to &.
To prevent the creation of other attributes, convert the untrusted user input to HTML entities, as discussed above. While the web application is being developed, do not allow any user data into specific parameters such as id, class, name, etc.
Encoding of user data helps in preventing the use of ampersand as it will lead to parameter pollution issues.
Encode the user input using CSS hex.
Prevent line breaks and put quotes around the variable (i.e., user input) and hex encode.
Use input sanitization by utilizing the inbuilt libraries in PHP, or any other language In which your web application is coded.