We’ve talked about the dangers of cross site scripting (XSS), an attack that exploits the browser’s trust in the user. XSS flaws occur whenever an application takes untrusted data and sends it to a Web browser without proper validation and escaping. As you know by now, this attack typically aims to steal login credentials or other personal information. It’s bad.
So, what can you do to protect your site(s)?
As a website owner, you can take measures to prevent your site(s) from falling prey to XSS attacks. In order to prevent this type of attack, you’ll need to ensure that untrusted data is kept separate from browser content. Here’s how:
Site admin tips and tricks
The use of positive or allowlist input validation with appropriate encoding can also help to protect against XSS. Output encoding can be used to ensure that all characters are treated as data if the characters are not relevant to the interpreter’s parser. Additionally, make sure your CMS and its plugins/components are kept updated, as Web applications are often patched to prevent these types of attacks.
As a Web surfer, you’ll want to take some precautions when browsing online. First and foremost, keeping your browser current. This will help prevent many exploits as browsers are consistently updated to protect against XSS. How? In general, the client-side runs filters, and each browser handles this differently.
- Mozilla Firefox® uses an XSS filter that will modify the payload using HTML entities and/or URL encoding. This will prevent the browser from triggering the malicious code.
- Microsoft Internet Explorer® uses a filter that divides the sent data into the categories “trusted” and “untrusted.” The filter then runs on the “untrusted” data to check for immediate code execution. If found, it modifies the response body before loading the page to prevent the malicious script from running.
These filters are usually updated with each new version of a browser — so it’s imperative to keep your browser current.
Add-ons and more
Want to learn more? These resources can help:
- Open Web Application Security Project (OWASP)
- Web Application Security Consortium (WASC)
- Black Hat
- Stanford University
- Exploit DB