Defending Against Cross-Site Scripting Attacks (Defending Against XSS)

Hello dear readers,

Published reports' statistics show "Cross-Site Scripting Attacks (XSS Attacks)" as the number one attack for exploited vulnerabilities on the WEB sites.

Are you aware about how to mitigate against it? Is there a silver bullet for that?

An old song* from 80's give us a clue:

(Replaces "house" by "WEB site")

"It's build a house where we can stay
Add a new bit everyday
It's build a road for us to cross
Build us lots and lots and lots and lots and lots"

Thinking from attackers perpective: a WEB site can add a 'new bit everyday' that means a potential vulnerability everyday if a threat modeling was not taken in consideration.

Below some suggested ways to mitigate from "Cross-Site Scripting Attacks (XSS Attacks)". You will need to research for details if planning to apply them.

1) The DO and DO NOT:

Ÿ- Take advantage of ASP.NET’s RequestValidation
Ÿ- Take advantage of ASP.NET’s ViewStateUserKey
Ÿ- Consider IOSec for data encoding
Ÿ- Use the HttpOnly cookie option
Ÿ- Use the <frame> security attribute

  - Trust user input (remember: Human's factor)
  - Echo client-supplied data without encoding
  - Store secret information in cookies

 2) Input validation

Ÿ  First line of defense – can eliminate many possible vulnerabilities, but doesn’t necessarily eliminate all of them
3) Output encoding
Ÿ  By encoding user-supplied data at display time, we can ensure that the client browser will interpret it literally
4) Platform features
Ÿ RequestValidation property
Ÿ ViewStateUserKey property
5) Server.HtmlEncode() doesn’t alwaysprotect your application

Ÿ  It only encodes < > & “
6) Use IOSec (properly implemented)
Ÿ  EncodeHtml()
Ÿ  EncodeHtmlAttribute()
Ÿ  EncodeVbs()
Ÿ  EncodeJs()
Ÿ  AsUrl()
A "new bit everyday" makes the race against attacks more and more challenging. XSS attacks still in the top. Above just a few suggestions. There's no a silver bullet.
Anyone concerned about XSS attacks must 'add a brick everyday' trying to protect a 'road for them to cross'.
Do you want to dig more in this subject? Some good sources to visit:
P.S.: *Quotation from song: "Build" by The Housemartins.
Comments (0)

Skip to main content