Week 7

Cross site scripting commonly referred as XSS is a web application vulnerability that allows the attacker to execute malicious JavaScript on the client web browser. This is major weakness how the web technology works where the client script can be manipulated by the attacker. The main concept of XSS attack is to embed malicious code in the client code of web application and execute it when the page loads or a certain event or an action occurs. Today XSS is one of the most common vulnerabilities today that is easy to exploit by even a naive hacker. Developers must pay close attention to the client side script and ensure measures are placed on the client and more importantly on the server side code.

How does XSS attack occurs? In a typical web application scenario, the user submits a request from the browser to the server, the server processes it and returns back a confirmation to the user. For example the user might fill out a registration web form consisting of typical user profile fields, the server processes the request and echoes back a confirmation message such as “xyz@abc.com was created successfully”. A hacker might inject JavaScript in the email address field, it will get processed on the server and returned back to the user. When the control return backs to the browser it will execute the malicious JavaScript that was embedded by the hacker. This is the simplest form of XSS attack and is commonly referred as reflective XSS. In a real world example the attacks are much more sophisticated, for instance the attacker might inject script in a URL that user clicks and before the user submits the form to the application the malicious script may send the data elsewhere as well. A more serious attack may occur when the user profile form is saved in a permanent storage on the server for example a database. In such a case the malicious code will also get stored permanently  and will execute each time the data is loaded. This type of attack is called persistent XSS and has much wider consequences than the reflective.

Now that we have understood what XSS attack is, let’s take a look at some of the ways XSS can be prevented or at least make it difficult for the hackers to implement it.

  1. Sanitize, Sanitize, Sanitize the input fields. I can’t stress on this enough, if the developers get this right it will prevent most XSS attacks. Make sure on both client and server sides field validation is done. For example if the field is email address ensure it can only take email address and nothing else. If anything else is detected reject it right away.
  2. Encode and decode input/output data. Even with sanitization there will be cases where you need to allow open text. For example you might have a comments field that must accept alpha numeric characters and some special characters. In such cases make sure you encode the data as soon as it is received by the server. This means characters that are commonly used to execute JavaScript such as <, > should be encoded as &lt; and &gt;
  3. The last resort which I frankly think is not a valid option is to allow the users to disable JavaScript completely. Few years back this might have been a valid case but these days websites rely heavily on JavaScript and if they’re disabled the site pretty much becomes unusable. The reality is the web today relies heavily on JavaScript, the developers should take appropriate measures to secure it.