Defending Against Cross-Site Scripting Attacks (Defending Against XSS)
Hello dear readers,
Published reports' statistics show "Cross-Site Scripting Attacks (XSS Attacks) " as the number one attack for exploited vulnerabilities on the WEB sites.
Are you aware about how to mitigate against it? Is there a silver bullet for that?
An old song* from 80's give us a clue:
(Replaces "house" by "WEB site")
"It's build a house where we can stay
Add a new bit everyday
It's build a road for us to cross
Build us lots and lots and lots and lots and lots"
Thinking from attackers perpective: a WEB site can add a 'new bit everyday' that means a potential vulnerability everyday if a threat modeling was not taken in consideration.
Below some suggested ways to mitigate from "Cross-Site Scripting Attacks (XSS Attacks) ". You will need to research for details if planning to apply them.
1) The DO and DO NOT:
DO:
Ÿ- Take advantage of ASP.NET’s RequestValidation
Ÿ- Take advantage of ASP.NET’s ViewStateUserKey
Ÿ- Consider IOSec for data encoding
Ÿ- Use the HttpOnly cookie option
Ÿ- Use the <frame> security attribute
DO NOT:
- Trust user input (remember: Human's factor)
- Echo client-supplied data without encoding
- Store secret information in cookies
2) Input validation
Ÿ First line of defense – can eliminate many possible vulnerabilities, but doesn’t necessarily eliminate all of them
3) Output encoding
Ÿ By encoding user-supplied data at display time, we can ensure that the client browser will interpret it literally
4) Platform features
Ÿ RequestValidation property
Ÿ ViewStateUserKey property
5) Server.HtmlEncode() doesn’t alwaysprotect your application
Ÿ It only encodes < > & “
6) Use IOSec (properly implemented)
Ÿ EncodeHtml()
Ÿ EncodeHtmlAttribute()
Ÿ EncodeVbs()
Ÿ EncodeJs()
Ÿ AsUrl()
A "new bit everyday" makes the race against attacks more and more challenging. XSS attacks still in the top. Above just a few suggestions. There's no a silver bullet.
Anyone concerned about XSS attacks must 'add a brick everyday' trying to protect a 'road for them to cross' .
Do you want to dig more in this subject? Some good sources to visit:
- Uncover Security Design Flaws Using The STRIDE Approach
Regards,
Marins
P.S.: *Quotation from song: "Build" by The Housemartins.