Cross site scripting: Prevention & protection

We’ve talked about the dangers of cross site scripting (XSS), an attack that exploits the browser’s trust in the user. XSS flaws occur whenever an application takes untrusted data and sends it to a Web browser without proper validation and escaping. As you know by now, this attack typically aims to steal login credentials or other personal information. It’s bad.

So, what can you do to protect your site(s)?

As a website owner, you can take measures to prevent your site(s) from falling prey to XSS attacks. In order to prevent this type of attack, you’ll need to ensure that untrusted data is kept separate from browser content. Here’s how:

Site admin tips and tricks

As a website owner, the best option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Unless your UI framework or content management system (CMS) does this for you, your developers will need to include this escaping in your application. For example, with PHP you could use htmlentities() to escape (or sanitize) your inputs.

The use of positive or allowlist input validation with appropriate encoding can also help to protect against XSS. Output encoding can be used to ensure that all characters are treated as data if the characters are not relevant to the interpreter’s parser. Additionally, make sure your CMS and its plugins/components are kept updated, as Web applications are often patched to prevent these types of attacks.

Stay current

As a Web surfer, you’ll want to take some precautions when browsing online. First and foremost, keeping your browser current. This will help prevent many exploits as browsers are consistently updated to protect against XSS. How? In general, the client-side runs filters, and each browser handles this differently.

• Google® Chrome™ uses a filter called XSSAuditor that analyzes the HTTP request and removes suspicious JavaScript functions.
• Mozilla Firefox® uses an XSS filter that will modify the payload using HTML entities and/or URL encoding. This will prevent the browser from triggering the malicious code.
• Microsoft Internet Explorer® uses a filter that divides the sent data into the categories “trusted” and “untrusted.” The filter then runs on the “untrusted” data to check for immediate code execution. If found, it modifies the response body before loading the page to prevent the malicious script from running.

These filters are usually updated with each new version of a browser — so it’s imperative to keep your browser current.

Add-ons and more

Additionally, there are browser add-ons, including NoScript, that can help prevent XSS attacks. NoScript allows you to allowlist sites running JavaScript, disable certain types of actions, and do a lot more to protect your site(s) from attack.

Want to learn more? These resources can help:

• Open Web Application Security Project (OWASP)
• Web Application Security Consortium (WASC)
• Black Hat
• Apache
• Stanford University
• Exploit DB