How to Protect Website from XSS attack
This article shows one method that developers of web applications can use to protect their websites from XSS attacks. Before going to explore the prevention it is necessary to understand what is XSS attacks.
Cross-site Scripting, also known as XSS, is a way of bypassing the SOP concept. SOP is one of the most important security principles in every web browser. Cross-Site Scripting (XSS) attacks are a type of injection, this can be used by the attackers to send a malicious script to an unsuspecting user.XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Whenever HTML code is generated dynamically, an attacker could insert his own HTML code to the end user. The web browser will still show the user’s code since it pertains to the website where it is injected.
An attacker can easily insert javascript code. By doing these the attacker is able to access other pages on the same domain and can read data like CSRF-Tokens or set cookies
The cookies contain session identifier information can be read by the javascript, by this attacker can use them on his own browser and log in to the web application as the victim. The attacker can still read private information from the pages, such as read CSRF tokens and make requests on behalf of the user if that does not work.
It is very important to apply a context-dependent output encoding to prevent cross-site scripting vulnerabilities. It might be necessary to encode the HTML special characters, in some cases such as opening and closing tags. In other cases a correctly applied URL encoding is necessary. Links should generally be disallowed if they don’t begin with a whitelisted protocol such as http:// or https://, thus preventing the use of URI schemes such as javascript://.
Even though most modern web browsers have an inbuilt XSS filter but they cannot catch all kinds of cross-site scripting attacks and are not strict so not to lead to false positives, which would prevent some pages from loading correctly. A web browser’s XSS filter should only be a “second line of defense” and the idea is to minimize the impact of existing vulnerabilities.
Now we discuss how XSS attacks work, we can begin to discuss some of the most common methods that can take to prevent it from being a reality in your website. Here are some different prevention methods you can utilize to prevent an XSS attack and help keep your website data safe:
Use the right META tag
Here’s a meta tag that you can use on each page in your site to declare characters:
<META http-equiv=”Content-Type” content=”text/html; charset= ISO-8859-1″>
The importance of using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.
Escaping
The most common method that you can use to prevent XSS vulnerabilities is by escaping user input. Escaping data means ensuring the data security that can be received by an application before rendering it for the end user. By escaping user input, key characters in the data received by a web page will be prevented any malicious attacks. Data censoring that will disallow the characters – especially < and > characters – from being rendered, which otherwise could cause harm to the application and/or users.
The rule of thumb is used to escape any and all HTML, URL, and JavaScript entities if your page doesn’t allow users to add their own code to the page. You will need to carefully choose the HTML entities that you want to escape and which you won’t, if your web page does allow users to add rich text, such as on forums or post comments.
Validating Input
Validating input is another prevention method that ensuring an application is rendering the correct data and preventing malicious attacks from doing harm to the site, database, and any users. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. This will only allow good known characters for preventing XSS attacks as well as others.
Whereas blacklisting disallows only known bad characters.
Input validation is not a primary prevention method for vulnerabilities such as XSS attacks but it is helpful and good to reduce the effects should an attacker discover such a vulnerability.
Sanitizing
Next method to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense, that will helpful on sites that allow HTML markup, to ensure that the received data can do no harm to users as well as your database. This will ensure malicious users cannot inject scripts in their HTML submissions.
