Lets get our hands dirty with XSS 😛
1)Prompted to input data in a text field , insert a script there.
2)Here we have the output.
How about the comment fields..??
1)Tried entering <script>, but all in vane
3)Images are go0d
1)Here the code is not designed to handle errors.
2)We enter 112=no image
MUCH OF PLAY.. ……………………….LETS FIX THIS
- Data should be allowed to break out of the entry point
- Should not be able to interact with the code
- Data should not be considered as a code
- Input Filtering/sanitation
- HTML Encoding
- Content Security Policy (CSP)
- Web browser security
- Secure coding
Filtering or sanitation is one of the way to evade XSS. There is a small difference between the two filtering.
- Input filtering will filter for all the data that is parsed.
- Out filtering will filter all the data that is written back to the page.
Lets take an example – a filter (a simple one) will search for <script> and remove that .
For the below query
If the above input wil be filtered and the out will be :
Thus making the attack successful
We can alternatively also use a WAF (web application firewall), this will also be of much help as it will alert or drop the request based on the configuration. Will deal with WAF in a separate article.
ENCODING and ESCAPING
Usage of secure encoding libraries ex. microsoft Anti cross site scripting library.HTML encoding can be done but it wil not help if script tags or evenmt handlers are used(onMouseEntry do something etc).– ESCAPE THEM
Escaping is masking the input, so that the resulting will not be interpreted as a code.
<script>alert –before esacaping
<script>alert –fter escaping
This creates a source whitelist for the client side resourcesWhat should be the source of the scripts, source of images , source of CSS. It has certain directives to do this:
These will be present in the CSP HTTPresponse header.
WEB Browser Security
- Browser selection – Since attackers want to target most of the audiance, the aim will be to build a attack which will work on the most common browsers. It can be helpful if the choice of browser is rare.
- Use of extensions ex No Script for Firefox
- Disabling some features(JS) – This might break the site but will provide protection
- Use VM(Virtual Machines) – Even if the browser in VM is compromised the important data can be stored safely in the host.
- Don’t click links in Email s – manuaally browse to the site, hover over the URLs to see the destination
- Long URLs – Decode them and see if HTML is embedded in it