What is XSS (Cross Site Scripting)


XSS is client side code injection attack. the attacker aims a web page or a application and tries to execute that malicious script from that browser of the user. Mostly the websites which has comment section or forums and accepts inputs, are victim of this attack.

whenever a malicious script that are mostly written in Javascript, injected in a website or web app it will effect all those users which are visiting that website. for example if someone injects a malicious script into facebook’s comment section and we open that photo to read the comments, that code executes and we get affected either.

XSS is not user’s Problem but that vulnerable web App or website’s.

one of the malicious actions which an attacker can do with javascript is Cookie Theft by stealing a cookie an attacker may gain access to session tokens which a cookie usually stores then it could be impersonated the user.
for example: suppose you’re using netflix by providing your email and password which are stored on your browser in cookies until you logout so now the attacker successfully hijacked your cookie and open that in his browser what happens now is he can use your netflix account.

Criminals often use XSS to steal cookies. This allows them to impersonate the victim. The attacker can send the cookie to their own server in many ways.

How to Prevent XSS

Validating inputValidating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. Whereas blacklisting, or disallowing certain, predetermined characters in user input, disallows only known bad characters, whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others.


Escaping
Escaping data means to make sure the data which your application has received is secure before rendering it to the end users. by escaping user’s input key characters in the data received by a web page will be prevented from being interpreted in any malicious way.

Sanitization
A third way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense. It’s totally possible you’ll find the need to use all three methods of prevention in working towards a more secure application. Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, changing unacceptable user input to an acceptable format.


Filtering

Filter all the data which are coming from user’s side because it may contain malicious code so these common keywords are must to be filtered<script> tag, Javascript commands, CSS styles and other dangerous html markups like Eventhandler.

Comments

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

Pentesting - Exploitation Guide Metasploitable 1

The Main Cyber Threats Facing the Aviation Industry