Skip to main content

Cross-Site Scripting Attack and its prevention

What is Cross-Site Scripting Attack?

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims' browser, which can access any cookies, session tokens, or other sensitive information retained by the browser, or redirect user to malicious sites.

How Cross-Site Scripting Attack is performed?

There are two types of XSS flaws:

  • Reflected XSS: The malicious data is echoed back by the server in an immediate response to an HTTP request from the victim.
  • Stored XSS: The malicious data is stored on the server or on browser (using HTML5 local storage, for example), and later gets embedded in HTML page provided to the victim.

Attack Prevention

  • Input validation and sanitization: Input validation and data sanitization are the first line of defense against untrusted data. Apply white list validation wherever possible.
  • Output encoding for correct context: When a browser is rendering HTML and any other associated content like CSS, javascript etc., it follows different rendering rules for each context. Hence Context-sensitive output encoding is absolutely critical for mitigating risk of XSS.
  • Apply encoding on both client and server side: It is essential to apply encoding on both client and server side to mitigate DOM based XSS attack, in which untrusted data never leaves the browser.
  • HTTPOnly cookie flag: Preventing all XSS flaws in an application is hard. To help mitigate the impact of an XSS flaw on your site, set the HTTPOnly flag on session cookie and any custom cookies that are not required to be accessed by JavaScript.

Hope you like the post...


Labels:

Comments

Post a Comment

Popular posts from this blog

What is Command Design Pattern and how to implement it?

Intent - Encapsulate a request as an object thereby letting you parameterize with different requests , queue or log requests and support undoable options Now we will create two classes exit command will exit out of nodejs and create command will create new file. Now the interesting part of this post comes where we will define a class with help of which we will be able to run above defined commands , undo previously run command or redo previously undo command. At last with help of readline module we will take input from user of command which is to be executed.. Hope you like the post.Keep learning...
Post a Comment
Read more

Making axios request using redux thunk react

How to integrate redux thunk with react? First run below command to get redux thunk installed Now add the redux thunk configuration to index.js file of your project Below is the sample folder structure to be followed.. Firstly lets code actions related to creating video on route /video/create Now at last lets make reducer function to handle actions dispatched Hope you like the post...
Post a Comment
Read more