Cross Site Scripting

Cross-site scripting (can be referred as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user. These flaws are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating it.

Often attackers will inject scripts, ActiveX, HTML into a vulnerable application in order to gather data from users. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks.

The best way to protect a web application from XSS attacks is ensure that your application performs validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed.

If you are displaying user supplied input, the data should be displayed by a function that either escapes or converts the data into appropriate HTML.

Encoding user supplied data can defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form. Applications can gain significant protection from javascript based attacks by converting the special characters in all generated output to the appropriate HTML entity encoding.

Posted in:

Leave a Reply