XSS Prevention Measures

By: Pooja

XSS is possible due to the improper input filtering that eases the process of illicit code injection for the attacker. It is identified as one of the most dangerous web application vulnerabilities because it is ranked in the top 10 security vulnerabilities by OWASP. Therefore, multiple prevention techniques have been designed that can be adopted to prevent XSS attacks. Mostly used techniques include the following:

  1. Filtering: The main cause of XSS is inappropriate input filtering.  Users can submit some sort of input via multiple input fields such as comments, posts, form submission through advanced methods like JSON, AJAX, XML, etc. As this is untrusted information so, it must not process in its raw form as it may impose serious security implications like XSS. Thus, filtering of the input value is done as one of the preliminary steps to prevent XSS attacks.  It means the entire untrusted user’s data must pass through a filter that filters out the malicious code, if present, from the web page. There are two types of filtering that can be applied: input filtering and output filtering. Input filtering is same as discussed above, i.e., remove suspicious keywords from entered data. In contrast, output filtering is applied to data that is reflected in the response web page. It basically works for persistent XSS attacks. Nevertheless, every method has its limitations. The disadvantage of this technique it also removes legitimate data if it matches with restricted keywords. To overcome this, filters need to be relaxed to include necessary tags and elements, paving the way for hackers and attackers.       
  2. Escaping: Escaping or encoding is another method to prevent XSS attacks. It hampers the execution of injected illicit code by the attacker in the victim’s browser. It means it gets converted into a form that remains inexecutable in the victim’s browser. Therefore, if the attacker injects some illicit script code, then the browser will not run it, if escaping is applied properly. Consequently, the user will remain unaffected. There are many types of encoding that can be applied to any web page, including HTML entity encoding, attribute value encoding, JavaScript, URL, and CSS encoding methods.
  3. Sanitization: Another method to prevent against XSS attacks is sanitization. It is basically a process of cleaning data or sanitizing data to make it secure from suspicious HTML tags or elements like <scripts>. It assures to receive the input value as excepted at that particular location in the web page. It is required in the case where a site can accept input from the user with diverse content, including HTML tags or style fields. So, sanitizing the data is a must to eliminate the harmful effects. There are several libraries or directives available to perform sanitization like HtmlSanitizer by OWASP, Ruby on Rails SanitizeHelper, DOMpurify, PHP HTML purifier, Python Bleach, and many more.
  4. Content Security Policy (CSP): The browser executes the script simply without knowing the source and intention. It may infect the user with various code injection vulnerabilities like XSS. Hence, Mozilla proposed a security prototype named as Content Security Policy (CSP) to mitigate various types of web application security vulnerabilities like XSS. It allows a website developer to specify the location to retrieve the external resources on the web. Therefore, the browser is allowed to access only those resources that are whitelisted, ignoring all other domains of resources. Consequently, injected scripts won’t get executed even if the attacker finds a way to inject them into the website. However, it requires all embedded JavaScript code to be shifted to a separate file. Consequently, it demands modifications in the web application, which is a tedious task for large web applications over the web. It also needs modification at both the side website and web browser.
  5. Data Validation: The attacker keeps an eye on input fields that lack data validation, which means if somehow, he will be able to submit malicious scripts through any field. For instance, suppose there is a field to enter email id, but no validation is applied, then the attacker may inject anything malicious that can be rendered by the browser. Data validation is a technique that ensures that the entered data comes within the syntactical constraints that are defined for that particular site to prevent from anything unwanted and malicious. There are various functions available in different languages like in PHP, and functions like is_numeric(), preg_match(), etc., are defined to validate the data, or you can use a regular expression to validate the data.
  6. Vulnerabilities Awareness Programs: It is the responsibility of an organization to train or schedule some security vulnerabilities awareness programs for their employees to assure the secure development of the web applications. It makes the entire software development team to get educated about the existing vulnerabilities, how attackers exploit them, and the best-known practices and methods to alleviate the attacks.
  7. Regular Maintenance and Testing: Web applications must be regularly updated to test for latent vulnerability. This assures quality maintenance of the web application and ensures the safety of its users from various types of security attacks. A multitude of web application scanner tools is available, like Burp suite, to perform web application scanning to identify the existing vulnerabilities.

References

  1. Grossman, J., Fogie, S., Hansen, R., Rager, A., & Petkov, P. D. (2007). XSS attacks: cross site scripting exploits and defense. Syngress.
  2. Stamm, S., Sterne, B., & Markham, G. (2010, April). Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web (pp. 921-930).
  3. Aljawarneh, S., Alkhateeb, F., & Maghayreh, E. A. (2010). A semantic data validation service for web applications. Journal of theoretical and applied electronic commerce research, 5(1), 39-55.
  4. Taha, T. A., & Karabatak, M. (2018, March). A proposed approach for preventing cross-site scripting. In 2018 6th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-4). IEEE.
  5. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2008, May). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (sp 2008) (pp. 387-401). IEEE
  6. Di Lucca, G. A., Fasolino, A. R., Faralli, F., & De Carlini, U. (2002, October). Testing web applications. In International Conference on Software Maintenance, 2002. Proceedings. (pp. 310-319). IEEE.
  7. Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 106960.
  8. Bisht, P., & Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 23-43). Springer, Berlin, Heidelberg.
  9. Cui, Y., Cui, J., & Hu, J. (2020, February). A survey on xss attack detection and prevention in web applications. In Proceedings of the 2020 12th International Conference on Machine Learning and Computing (pp. 443-449).
  10. Salas, M. I. P., & Martins, E. (2014). Security testing methodology for vulnerabilities detection of xss in web services and ws-security. Electronic Notes in Theoretical Computer Science, 302, 133-154.

Cite this article:

Pooja (2021), XSS Prevention Measures, Insights2Techinfo, pp. 1

9770cookie-checkXSS Prevention Measures
Share this:

One thought on “XSS Prevention Measures

Leave a Reply

Your email address will not be published.