Defending Against Cross-Site Scripting Attacks (Defending Against XSS)

  • Article

Hello dear readers,

Published reports' statistics show "Cross-Site Scripting Attacks (XSS Attacks) " as the number one attack for exploited vulnerabilities on the WEB sites.

Are you aware about how to mitigate against it? Is there a silver bullet for that?

An old song* from 80's give us a clue:

(Replaces "house" by "WEB site")

"It's build a house where we can stay
Add a new bit everyday
It's build a road for us to cross
Build us lots and lots and lots and lots and lots"

Thinking from attackers perpective: a WEB site can add a 'new bit everyday' that means a potential vulnerability everyday if a threat modeling was not taken in consideration.

Below some suggested ways to mitigate from "Cross-Site Scripting Attacks (XSS Attacks) ". You will need to research for details if planning to apply them.

1) The DO and DO NOT:

DO:

Ÿ- Take advantage of ASP.NET’s RequestValidation

Ÿ- Take advantage of ASP.NET’s ViewStateUserKey

Ÿ- Consider IOSec for data encoding

Ÿ- Use the HttpOnly cookie option

Ÿ- Use the <frame> security attribute

DO NOT:
  - Trust user input (remember: Human's factor)
  - Echo client-supplied data without encoding
  - Store secret information in cookies

 2) Input validation

Ÿ  First line of defense – can eliminate many possible vulnerabilities, but doesn’t necessarily eliminate all of them

 

3) Output encoding

Ÿ  By encoding user-supplied data at display time, we can ensure that the client browser will interpret it literally

 

4) Platform features

Ÿ RequestValidation property

Ÿ ViewStateUserKey property

 

5) Server.HtmlEncode() doesn’t alwaysprotect your application

Ÿ  It only encodes < > & “

 

6) Use IOSec (properly implemented)

Ÿ  EncodeHtml()

Ÿ  EncodeHtmlAttribute()

Ÿ  EncodeVbs()

Ÿ  EncodeJs()

Ÿ  AsUrl()

 

A "new bit everyday" makes the race against attacks more and more challenging. XSS attacks still in the top. Above just a few suggestions. There's no a silver bullet.

 

Anyone concerned about XSS attacks must 'add a brick everyday' trying to protect a 'road for them to cross' .

 

Do you want to dig more in this subject? Some good sources to visit:

 

- Security Developer Center

- Uncover Security Design Flaws Using The STRIDE Approach

 

Regards,

Marins

 

P.S.: *Quotation from song: "Build" by The Housemartins.