Do You Know-Cross Site Scripting (XSS)
Cross Site Scripting is a code injection attack in which an attacker injects malicious code through the web browser.
This malicious code gets executed when the user visits the page.
1. The user first has to establish a connection with the web server
2. Once he is logged in, the attacker sends the victim some malicious crafted link through social engineering.
3. When the user clicks on that link, the malicious code is executed.
Eg. The code can contain a java script code to steal the cookies of the user.
<script> alert(document.cookie); </script>
4. Once the attacker gets the cookie, he can steal the session id of the victim and establish a connection with the server pretending to be the victim.
The below diagram describes, how XSS takes place
Types of cross site scripting:
· Reflected XSS
o In reflected XSS, when the attacker executes any malicious code, it is not stored on the server
o Instead, the script is executed directly on the victim side whenever the victim visits the infected page.
o It is a non-persistent attack
o The attacker sends the malicious code in the http request header.
o The code is executed when there is an http response from the server that includes the http request which has the malicious code
· Stored XSS
o The stored XSS causes the most damage. As the malicious code injected by the attacker is stored permanently on the server’s database if there is no input validation.
o For example, consider a blog where there is an input field in the comment section. The user might enter some malicious code into the comment section. If there is no sanitization of the input data, then whoever visits the comment section, will get the malicious code executed into his/her browser.
o Since the code is stored permanently into the database, this attack can harm a large number of people visiting the website.
· DOM-based XSS
o This is a advanced XSS attack
o Here the script is not sent to the server
o If the web application is possible of writing data into the Document Object Module, then the attacker can insert malicious code in the DOM
o This attack can be used to evade the firewall and the IDS as the code never reaches to the server
How to prevent XSS attacks
1. Sanitize the data that comes from the clients: detect and validate the input vectors that may contain vulnerabilities
2. Encode the output: encoding the output will ensure that the data is not in a readable form and hence prevent the attacker to inject any code.
3. Enable HTTP only cookie flag that will prevent the attacker to make any changes, or insert any data into the header.
4. For sanitization the following libraries can be used:
Don’t allow any ASCII Values less than 256 in the URL. There is no better way to prevent XSS. The only way is to restricting the input that can be malicious.
If you liked the story and want to appreciate us you can clap as much as you can. Appreciate our work by your constructive comment and also you can connect to us on….
Website : https://www.societyofai.in/