Cross Site Scripting¶
links: WS TOC - Cross Site Scripting (XSS) - Index
- Problem on websites that allow uncontrolled content uploads by users
- Forum, guest-book, etc. \(\rightarrow\) Stored XSS
- XSS is generally a problem if a website allows uncontrolled / unsanitized content provided by users / attackers \(\rightarrow\) DOM-based XSS, Reflective XSS
- Javascript can be hidden in <\script> tags, external js files, eventhandlers and URLs
Good explanation of Same Origin Policy Another good explanation
Testing¶
The following scripts can be used to test if website is protected against XSS
// Display alert
’’;!−−"<XSS>=&{()}
// Load xss.js
<script src=link-to-js.js</script>
// False image loading
<img src="javascript:alert('XSS');">
// The same but using UTF-8 encoding
<IMG SRC=javascript:a...>
Protection¶
- Data and input validation / sanitation
- Appropriate encoding of output data
<
stays<
and doesn't turn into<
- Specify character encoding for each page
- "Accept known good" validation
- Reject invalid input
- Do not attempt to sanitize potentially hostile data
- Error messages might also include invalid data
- Java
- Use
Struts
orJSF
output validation and output mechanisms - Use
JSTL
- Do not use
<%= %>
- Use
- .NET
- use the Microsoft Anti-XSS lib
- PHP
- Ensure output is passed through
htmlentities()
orhtmlspecialchars()
- Content is first validated, then
canonicalize()
to be stored and then the output is encoded usingencodeForHTML()
- Ensure output is passed through
- DOM based XSS
- Use the right output method (sink)
innerText
andtextContent
instead ofinnerHTML
- Don't use
eval
with user input
- Use the right output method (sink)
- Use
X-XSS-Protection
header which instructs the browser to check for XSS attacks and block the script if one is detected- Attacks are identified using patterns in the code that are commonly associated with XSS attacks
- Use
Content-Security-Policy
HTTP header- Whitelist of sources from where the browser can load resources
- Can define default-, script-, object-, style- and img-src
- Without this setting a website can always call any source
- Be careful with advertisement brokers
- Websites include scripts provided by ad brokers to show ads
- Brokers could potentially run any code on the website including the script
links: WS TOC - Cross Site Scripting (XSS) - Index