Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Measures to prevent XSS vulnerability (like Twitter's one a few days before)

Tags:

xss

Even famous sites like Twitter are suffering from XSS vulnerability, what should we do to prevent this kind of attack?

like image 979
Billy Avatar asked May 03 '09 03:05

Billy


People also ask

What is cross site scripting XSS how do you avoid it?

Cross-site scripting (XSS) is a type of injection attack in which a threat actor inserts data, such as a malicious script, into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. XSS is one of the most common cyber attack types.

Which is the best method to protect your website from XSS Cross Site Scripting?

Use the right META tag The benefit to using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.

What is Cross site tracing XST )? How can it be prevented?

XST could be used as a method to steal user's cookies via Cross-site Scripting (XSS) even if the cookie has the “HttpOnly” flag set or exposes the user's Authorization header. The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials.


3 Answers

The #1 Thing you can do is set your cookies to HTTP Only ... which at least protects against session cookie hijacking. Like someone stealing your cookie when you are likely admin of your own site.

The rest comes down to validating all user input.

  • RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
  • RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
  • RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  • RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
  • RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
  • RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes

Very lengthy subject discussed in detail here:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

http://www.owasp.org/index.php/Cross_site_scripting

XSS is only one of many exploits and every web dev should learn the top 10 OWASP by heart imho

http://www.owasp.org/index.php/Top_10_2007

like image 74
Chad Grant Avatar answered Oct 01 '22 23:10

Chad Grant


Just like you can make SQL injection a non-issue by using prepared statements, you can make XSS non-issue by using templating engine (DOM serializer) that does similar thing.

Design your application so that all output goes via templating engine. Make that templating engine HTML-escapes all data by default. This way you'll have system that's secure by default and does not rely on humans (and rest of the large system) being diligent in escaping of HTML.

like image 21
Kornel Avatar answered Oct 01 '22 23:10

Kornel


I don't what you write your code with, but if your use asp.net, you are partly covered. asp.net has what they call request validation that when enabled, it prevent malicious script to be introduced via user input.

But sometimes, you'll have to allow some kind of text editor like the one you typed in this question. In this case, you'll have to partly disable request validation to allow some "rich text" html to be input by the end user. In this case you will have to build some kind of white list filtering mechanism.

FYI, I don't know about others but Microsft has library called Anti-Xss.

like image 41
Vanof Avatar answered Oct 01 '22 23:10

Vanof