Smart Ways to Prevent XSS Attack

6-Prevent-XSS-Attack

Nowadays web applications are exposed to dangerous threats such as cross site scripting or XSS. Recent research also says that XSS even attaches itself to some of the most popular web platforms including Facebook ,Twitter, Google, Paypal, Amazon and several others. For someone familiar with the ‘Bug bounty’ program, they would know that most errors are related to XSS attacks.

Eventhough browsers are being updated with filters to detect XSS attack , but still XSS is able to find a loophole to attack. XSS is commonly used by hackers to spread malware, to steal cookies, malicious redirections and for hijacking sessions. The attack begins by the injection of malicious javascript code into the web platform such that the browser execute the code and is exposed to attack. The interesting thing with regard to XSS is that it is easy to detect but quite difficult to patch.

XSS attack
XSS-Figure02

XSS error is always injected anywhere in an application where the original syntax of the code is not being properly encoded. In conditions, where the input is not properly encoded, the users will operate upon malicious program instead of the harmless original script. Browsers doesn’t know whether to treat the new script as a part of the program else block it from executing.

Example:

Search boxes are common to all the websites. The coded form will almost look like:

<form action=”search.php” method=”get”>

<input type=”text” name=”n” value=””/>

<input type=”submit” value=”send”/>

</form>

The search.php from where the query draws the results also lists the “keywords” and “Search results”. The webpage code will look like,

<h3>you searched for :<!–?php echo ($_GET[‘q’]) ?–>

Whatever maybe the search query it will be displayed alongside the search results in the webpage. Now hacker injects the following code,

“><script>alert(‘XSS injection’)</script>

The browser doesn’t get any implication of either the encoded input or filter malicious scripts.  It prints the statement as such.The result will be like ,

<h3>you searched for:”><script>alert(‘XSS injection’)</script>

The above command will be executed as such producing result as ‘XSS injection’.

Ways to prevent XSS attack

It is important for the websites to be developed using special security development life cycle or SDLC  in order to prevent becoming a victim to attack. The main aim of this approach is to reduce the coding errors as well as security related design errors. SDLC will minimize the severity of undetected XSS attacks. Several open source libraries are available to provide support and this includes,

  1. PHP AntiXSS: This guard against vulnerabilities this adds an extra layer of protection. It automatically detects encoding data and filter the same.
  2. xss_clean.php filter:It is a very powerful filter. This is used by the developers to clean nested exploits and URF encodings.
  3. HTML purifier:HTML purifier is a standard filtering library. It removes malicious coding from inputs and prevent attacks. It is also available as a plugin for the php developers.

In the end, it completely depends on the developer ability to come up with a secure development life cycle. In  terms of business XSS attacks, damages the reputation and customer database. To prevent this regular check has to be implemented, for end to end customer support contact us on sales@veltrod.in.


About Author

Madhumitha Srinivas

I am an avid reader. My ultimate goal is to convey complex information in a much more simple and interesting form.

For business enquiry, please contact us

TOP BLOGGER

© Copyright 2013 Veltrod Scroll Top