Smart Ways to Prevent XSS Attack
Nowadays web applications are exposed to dangerous threats such as cross site scripting or XSS. Recent research also says that XSS even attaches itself to some of the most popular web platforms including Facebook ,Twitter, Google, Paypal, Amazon and several others. For someone familiar with the ‘Bug bounty’ program, they would know that most errors are related to XSS attacks.
XSS error is always injected anywhere in an application where the original syntax of the code is not being properly encoded. In conditions, where the input is not properly encoded, the users will operate upon malicious program instead of the harmless original script. Browsers doesn’t know whether to treat the new script as a part of the program else block it from executing.
Search boxes are common to all the websites. The coded form will almost look like:
<form action=”search.php” method=”get”>
<input type=”text” name=”n” value=””/>
<input type=”submit” value=”send”/>
The search.php from where the query draws the results also lists the “keywords” and “Search results”. The webpage code will look like,
<h3>you searched for :<!–?php echo ($_GET[‘q’]) ?–>
Whatever maybe the search query it will be displayed alongside the search results in the webpage. Now hacker injects the following code,
The browser doesn’t get any implication of either the encoded input or filter malicious scripts. It prints the statement as such.The result will be like ,
<h3>you searched for:”><script>alert(‘XSS injection’)</script>
The above command will be executed as such producing result as ‘XSS injection’.
Ways to prevent XSS attack
It is important for the websites to be developed using special security development life cycle or SDLC in order to prevent becoming a victim to attack. The main aim of this approach is to reduce the coding errors as well as security related design errors. SDLC will minimize the severity of undetected XSS attacks. Several open source libraries are available to provide support and this includes,
- PHP AntiXSS: This guard against vulnerabilities this adds an extra layer of protection. It automatically detects encoding data and filter the same.
- xss_clean.php filter:It is a very powerful filter. This is used by the developers to clean nested exploits and URF encodings.
- HTML purifier:HTML purifier is a standard filtering library. It removes malicious coding from inputs and prevent attacks. It is also available as a plugin for the php developers.
In the end, it completely depends on the developer ability to come up with a secure development life cycle. In terms of business XSS attacks, damages the reputation and customer database. To prevent this regular check has to be implemented, for end to end customer support contact us on firstname.lastname@example.org.