XSS - How to prevent this Monster !!
Atul Joshi
Helping Software Techies And IT Companies to Upskill In Application Security | Secure Code Mentor | Software Engineer At Heart | eJPT2, eWPT, CCNA, CAP Certified
There are two main things when it comes to preventing XSS !!
Let's discuss each in detail:
Input Validation is simply validating every user-controllable input coming to the system and rejecting it if it doesn't meet certain rules (Golden Rule to prevent attacks !!)
So it works at the outer boundary of the system
In the case of XSS, it translates to :
So don't allow anything that can result in executing JavaScript and rendering HTML on the web page that is user-controllable.
On the other hand, Output Sanitization is sanitizing the content that is displayed back to the user on the web page
Let's understand it with an example and dive into the PortsSwigger lab
Let's put our hacking hats on !! And hack in the search feature
Try payload: ORION"> BREAKOUT in the search box and hit enter. The same strategy we have been using in Part 1, Part 2 and Part 3 of the article series
After we get the results and page back, see carefully what gets rendered on the developer tools
Can we see what has just happened?
领英推荐
ORION"> BREAKOUT payload gets translated to ORION" > breakout
So we're not able to break out of value="" tag because > sign is replaced with >
This is what is called as HTML escaping or HTML encoding and this is one of the ways we can achieve output sanitization
So even if an attacker sends crafted/malicious input into the system, it is sanitized when it is reflected back to the user on the web page.
As a result, for browsers, this is not standard HTML markup and it can't execute that but it is treated as uninterpreted literals
Below are some of the characters and their corresponding character references :
& : @amp;
< : <
> : >
In this particular case , > is treated as >
All standard languages provide HTML escaping functions
But where do we use this HTML escaping?
The answer is: any string that is coming from untrusted data and is inserted into an HTML document
That's all for this article !!
Now, you must be thinking if output sanitization is so powerful, why are hackers still able to attack applications using XSS? (Hint: nothing is 100% full proof)
Helping Software Techies And IT Companies to Upskill In Application Security | Secure Code Mentor | Software Engineer At Heart | eJPT2, eWPT, CCNA, CAP Certified
11 个月Is there any way we can have a system that does input validation automatically for us? Without even knowing us it is being done !! Any guess what is this system called operating at application level ?