Hello dear readers,
Published reports' statistics show "Cross-Site Scripting Attacks (XSS Attacks)" as the number one attack for exploited vulnerabilities on the WEB sites.
Are you aware about how to mitigate against it? Is there a silver bullet for that?
An old song* from 80's give us a clue:
(Replaces "house" by "WEB site")
"It's build a house where we can stay
Add a new bit everyday
It's build a road for us to cross
Build us lots and lots and lots and lots and lots"
Thinking from attackers perpective: a WEB site can add a 'new bit everyday' that means a potential vulnerability everyday if a threat modeling was not taken in consideration.
Below some suggested ways to mitigate from "Cross-Site Scripting Attacks (XSS Attacks)". You will need to research for details if planning to apply them.
1) The DO and DO NOT:
- Take advantage of ASP.NET’s RequestValidation
- Take advantage of ASP.NET’s ViewStateUserKey
- Consider IOSec for data encoding
- Use the HttpOnly cookie option
- Use the <frame> security attribute
- Trust user input (remember: Human's factor)
- Echo client-supplied data without encoding
- Store secret information in cookies
2) Input validation
First line of defense – can eliminate many possible vulnerabilities, but doesn’t necessarily eliminate all of them
3) Output encoding
By encoding user-supplied data at display time, we can ensure that the client browser will interpret it literally
4) Platform features
5) Server.HtmlEncode() doesn’t always
protect your application
It only encodes < > & “
6) Use IOSec (properly implemented)
A "new bit everyday" makes the race against attacks more and more challenging. XSS attacks still in the top. Above just a few suggestions. There's no a silver bullet.
Anyone concerned about XSS attacks must 'add a brick everyday' trying to protect a 'road for them to cross'.
Do you want to dig more in this subject? Some good sources to visit:
P.S.: *Quotation from song: "Build" by The Housemartins.