How can I prevent Cross Site Scripting attacks on my application?
- Ensure no input is reflected in an output page
- Use HTTP Only cookies to protect cookies from scripts
- Escape all special characters when preparing the output
The best answer to the quiz is 3) Escape all special characters when preparing the output.
Cross Site Scripting (XSS) is a type of attack wherein the attacker steals cookie information of a user by making the user click on a link that contains a script. The script reads the cookies of the user and sends it to the attacker by email. Since the browser executes the script while rendering the link, the attacker gets the desired information. Since these attacks generally use pages that reflect the user input back to the browser, option 1 may help in preventing XSS attacks, but is not a foolproof method.
Another method to prevent XSS is using HTTP Only cookies. If this option is set for the cookies, they cannot be accessed by scripts. Again this prevents XSS but does not work against Cross Site Tracing (XST) attacks. XST attacks make use of the TRACE method in HTTP. If a TRACE is sent in the request to the server, the server sends back anything in the request back to the browser. Suppose an attacker sends the user a link with a TRACE request and a script. When the user clicks on the link, a TRACE request along with the cookie information for the site is sent to the server. Now the server will send back the cookie information to the browser. If the script contains the code to mail the information to the attacker, the sensitive information gets stolen.
Validating the input and output in an application is the best method to prevent XSS. All special characters that may be used in a script should be escaped. If the special characters are replaced as shown below before displaying, the browser will just render the output instead of executing the script.
Here are links for more information on XSS and XST -
- Kevin Spett's paper Cross Site Scripting, Are your web applications vulnerable? is a good source of information.
- This paper by Jeremiah Grossman discusses XST in greater detail - http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf