Almost 40 % of cyber-attacks in 2019 were performed using “cross-site scripting”, the most popular attack vector globally, according to a recent PreciseSecurity’s research.
Based on the same source, the SQL injection is the globally used second-most attack vector, followed by fuzzing.
What is a cross-site scripting attack?
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim’s web browser by including a malicious code in the legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code.
Why it is subsequently a serious attack?
· If the attacker can acquire a user’s session cookie, hence they can impersonate and perform actions on behalf of the user.
· The attacker can gain access to the user’s geolocation, webcam, microphone, and even specific files from the user’s file system in conjunction with a social engineering attack.
How to stopover XSS attacks?🚀🚀
· Sanitize HTML
If the user input needs to contain HTML, you can’t escape/encode it because it would break valid tags. In such cases, use a trusted and verified library to parse and clean HTML. Choose the library depending on your development language, for example, HtmlSanitizer for .NET or SanitizeHelper for Ruby on Rails.
· Train and maintain awareness
To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with XSS vulnerabilities. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page.
· Use escaping/encoding
Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc. Use existing libraries for escaping, don’t write your own unless absolutely necessary.
· Set the HttpOnly flag
To mitigate the consequences of a possible XSS vulnerability, set the HttpOnly flag for cookies. If you do, such cookies will not be accessible via client-side JavaScript.
· Use a Content Security Policy
To mitigate the consequences of a possible XSS vulnerability, also use a Content Security Policy (CSP). CSP is an HTTP response header that lets you declare the dynamic resources that are allowed to load depending on the request source.
