Most of the time when we create websites or simple web pages, we often tend to believe that we are not some big organization or a big company and no one will try and hack into our website, and by thinking such we don't really sanitize the contents that we are taking from the users and storing into the database of our website.Here sanitizing the content means to make it sure that the content which is user submitting is actual and it is not containing something malicious that can hamper the performance or the appearance of our website.
 |
| Source:bluekaizen.org |
Cross-Site Scripting (XSS) can be defined as the procedure of inserting malicious lines of codes into the websites after finding the vulnerabilities in it to decrease the performance or change the appearance of a website. For example, You have a website where you are taking the information from the user and saving it into the database, here you have presented a form to user for taking input, now some malicious user can insert some sort of scripting that can change the background color of your website, as we all know that using JavaScript we can change background-color or other properties of HTML page without using CSS, so most of the Cross-Site Scripter use scripts to insert the malicious code into a website and try to compromise with the security of a website and also to try and steal the information about the user.
Cross-Site Scripting can lead to the activation of Trojan Horse Programs, modify the contents of a website, can mislead the users to surrender their private data, can access the session and cookie data enabling a perpetrator(the person who is performing Cross-Site Scripting) to impersonate a normal user and to abuse the private accounts.
Cross-Site Scripting can be divided into two types- Stored and Reflected.
- Stored XSS is also called as the Persistent XSS, it is more harmful in comparison to Reflected XSS, It occurs when a malicious script is injected into a web application after finding its vulnerability.
- Reflected XSS involves a reflection of malicious script off a Web Application, onto the browser of the user, that will ask the user to click on a particular link and once the link is clicked the malicious script will be activated.
 |
| Source: hackertarget.com |
How to protect a web application against Cross-Site Scripting:
- Whenever you create a website, make sure to sanitize and validate the contents before inserting into the database, what it will do if someone tries to enter executable scripts using the <script> tag, it won't get stored such and will be stored as a normal text. For example, if you are using PHP for the development of your web application you can use strip_tags() or htmlspecialchars() or filter_var functions() for sanitizing a string before inserting into the database. These are special functions that will help you to protect your website against XSS. for example: If Someone tries to enter (<script>alert("Hello! You are Hacked");</script>) into your website and you have used strip_tags() for sanitizing this string then it will only store as alert("Hello! You are Hacked"); the <script> tags will be removed by the function itself.
- A Web Application firewall is also used for the protection against XSS, it is a system that monitors, filters or blocks the HTTP traffic to and from the Web Application.In real time it monitors and examines the traffic before it reaches the web application.You need to install a Web Application Firewall onto your website.Some examples of Web application firewalls include Citrix Systems Inc.'s NetScaler AppFirewall, Fortinet Inc.'s FortiWeb-400C and F5 Networks Inc.'s BIG-IP Application Security Manager. Source: searchsecurity.techtarget.com.
Some Common types of Scripts that are used in XSS:
- The most common script is to insert an alert script into a web application, so everytime when a user refreshes the same page, it irritates him time and time again by showing an alert dialog.(<script>alert("Some message");</alert>).
- Scripts to change the appearance of a website, for example, to change the background color of the web application, a script is injected.You simply have to use the HTML DOM properties for manipulating the various properties using JavaScript.
- Cookie stealing scripts are also been injected into the vulnerable web applications, make sure to set your cookie value as Hash so even if the attacker finds it, he/she won't be able to use cause it is into its Hash form and it is quite difficult to know the actual value of the hash value. document.cookie is used to real all the cookies.
- Malware scripts are also injected to install a trojan horse or a virus into the user's system.
That's it in this article of mine, make sure to protect your web application against XSS as XSS is the most common attack that is used by attackers to hamper your website security and steal the user's information.
No comments:
Post a Comment
Thanks for Your Time!