7 Anthony Udoh Street Ajao Estate, Lagos, Nigeria [email protected]

kAsTech - Read More

Kastech Protects all its Application against XSS



Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.

A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim’s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences. An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site. It classified into three types.

Reflected XSS Stored XSS DOM-Based XSS

In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, etc. This link has a script embedded within it which executes when visiting the target site.
In Stored XSS, the attacker is able to plant a persistent script in the target website which will execute when anyone visits it.
With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and is then executed.

Preventing XSS.
To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code. Our examples are going to based on PHP since it’s the most used web technology.

Some prevention techniques are the use of google code against XSS. Download the library here and implement the code with a sample below:



$data = AntiXSS::setFilter($data, "white", "string"); //For strings
$data = AntiXSS::setFilter($data, "white", "number"); //For numbers
$data = AntiXSS::setFilter($data, "black"); //Filter against all

If your application processes high amount of html and rich media, you can download the htmlpurifier and implement it by using a sample code below:

require ('../htmlpurifier/HTMLPurifier.auto.php');
$c> $config->set('HTML.Allowed', 'p,b,a[href],i'); // basic formatting and links
$HTML_Secure = new HTMLPurifier($config);

// Use HTML Purifier to prevent XSS in this user's profile
echo $HTML_Secure->purify($string_data);

The internet provides other ways of protecting yourself against XSS.

OTHER BLOG POST

  • Kastech Protects all its Application against XSS

    kAsTech Network

  • Settings Cookies With JQUERY

    kAsTech Network

  • Pros and Cons of Artificial Intelligence - Forbes

    kAsTech Network

  • BlueBorne - The Bluetooth Virus

    kAsTech Network

  • kAsTech Upgrades School Portal

    kAsTech Network

  • KasTech unveils KasHost

    kAsTech Network

  • Kastech Launches Website

    kAsTech Network