Cross-site scripting (XSS) is a type of computer security vulnerability typically
found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access
controls such as the same-origin policy.
What makes it humongous is : The client assumes the server will send it trusted code and we developers
know Server applications can be tricked into sending un-trusted code to the
client
Consequences:
An attacker can run a script in the wrong security context
- Cookies can be read/written
- Plug-ins and native code can be launched or scripted with untrusted data
- User input can be intercepted
- Spoofing
- Complete credential exposure if the site is Passport enabled
Only one vulnerable page on one Web server in a domain is required to
compromise the entire domain.
It’s not difficult but we just need to follow these
easy steps to protect
- Filter input (server side)
Don’t even think of relying on client-side filtering!
Search for invalid characters and remove them from the stream.
< “ > ‘ % & ; ( ) + =
Why these characters:
i. < > Blocks HTML tags
ii. “ ‘ Blocks quotes from being closed off
iii. %
&
Make sure you don’t decode HTML or HTTP encoding on the server
iv. ; ( ) Blocks script from working if replay is already in the middle of a script block
v. + = Blocks UTF-7 and UTF-8 encoding
- Encode the output
URLEncode or HTMLEncode output strings which haven’t been validated
Also in Web.Config
<system.web>
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder"
/>
</system.web>
No comments:
Post a Comment