- Web Security
- Phone Security
How to Protect Website from XSS attack
This article shows one method that developers of web applications can use to protect their websites from XSS attacks. Before going to explore the prevention it is necessary to understand what is XSS attacks.
Cross-site Scripting, also known as XSS, is a way of bypassing the SOP concept. SOP is one of the most important security principles in every web browser. Cross-Site Scripting (XSS) attacks are a type of injection, this can be used by the attackers to send a malicious script to an unsuspecting user.XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Whenever HTML code is generated dynamically, an attacker could insert his own HTML code to the end user. The web browser will still show the user’s code since it pertains to the website where it is injected.
Even though most modern web browsers have an inbuilt XSS filter but they cannot catch all kinds of cross-site scripting attacks and are not strict so not to lead to false positives, which would prevent some pages from loading correctly. A web browser’s XSS filter should only be a “second line of defense” and the idea is to minimize the impact of existing vulnerabilities.
Now we discuss how XSS attacks work, we can begin to discuss some of the most common methods that can take to prevent it from being a reality in your website. Here are some different prevention methods you can utilize to prevent an XSS attack and help keep your website data safe:
Use the right META tag
Here’s a meta tag that you can use on each page in your site to declare characters:
<META http-equiv=”Content-Type” content=”text/html; charset= ISO-8859-1″>
The importance of using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.
The most common method that you can use to prevent XSS vulnerabilities is by escaping user input. Escaping data means ensuring the data security that can be received by an application before rendering it for the end user. By escaping user input, key characters in the data received by a web page will be prevented any malicious attacks. Data censoring that will disallow the characters – especially < and > characters – from being rendered, which otherwise could cause harm to the application and/or users.
Validating input is another prevention method that ensuring an application is rendering the correct data and preventing malicious attacks from doing harm to the site, database, and any users. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. This will only allow good known characters for preventing XSS attacks as well as others.
Whereas blacklisting disallows only known bad characters.
Input validation is not a primary prevention method for vulnerabilities such as XSS attacks but it is helpful and good to reduce the effects should an attacker discover such a vulnerability.
Next method to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense, that will helpful on sites that allow HTML markup, to ensure that the received data can do no harm to users as well as your database. This will ensure malicious users cannot inject scripts in their HTML submissions.