Not every developers pay equal importance to web security and vulnerabilities, especially about cross site scripting when they start coding. Their primary goal is to get the project finished Websites developed with unsecure coding can be easily exploited by the attackers. There is no way your browser will prevent XSS automatically unless you disable your browser’s ability to run scripting languages such as JAVA script. Or only visit the sites that you trust.
Below is the list of tips to defend XSS attacks:
Input and output filtering
Filtering can be done in the form of input sanitation, output sanitation and input blocking. Once you implement input sanitation, your page will catch invalid input/content. When you enter a data or input, webpage will check if the data is in valid format that is acceptable according to you. If a user places wrong input, you page will show a message to the user stating which input it expects
There is not much difference between input sanitation and input blocking. The only difference is input blocking reflects back the blocked content in the page. Many web developers prefer input sanitation over input blocking because it will scrape all the unwanted or invalid data before sending to the application.
Output sanitation is applied to the data that is sent back from the server side to the clients’ browser. Depending on the types of XSS attacks that you want to deflect, you can choose the right filtering method for your apps.
Input encoding
Encoding is a way to make sure that user input is treated as data by the browsers. When browser treats encoded input as data, not as code, there is no chance of execution of codes.
Example of a JavaScript code:
<script>
function myFunction() {
document.getElementById("mydemo").innerHTML = "Change your header tex";
}
</script>
If we encode the above code, it will look like this:
<script>
function myFunction() {
document.getElementById("mydemo").innerHTML = "Change your header tex";
}
</script>
Since the special tag has been escapade, the web browser will not parse any of the input as code; instead it will parse them as data.
Remember that if users have to input URL, you cannot prevent XSS with encoding technique. In this case you better use input validation/sanitation technique.
Note — An XSS vulnerability can exists in a website if the malicious script or codes that the attacker inserts into the site get parsed in the browser.
Select a secure browser
Always use a web browser that has strong security features such as Firefox and Chrome. Also, read about browser security and try to find out if there are any known vulnerabilities in your browser. Update your browser when there is a new update release. Disable the unnecessary browser plugins and extensions. Also, be aware of overly long or short URLs that you may find in sites you visit. Avoid clicking them unless you are sure about it.
Remember that there various types of XSS attacks such as Persistent XSS, reflected XSS and DOM-based XSS and to prevent all these types of website vulnerabilities, you need to perform secure input filter in both the client side and the server side.
Use content security policy (CSP)
If you are looking to add an extra layer of security against XSS attack, you may use content security policy in your webpages. CSP adds a HTTP header: Content?Security?Policy in the webpage, which means if you pages have CSP policy the web browser will download resources such as JavaScript, CSS etc. from trusted sources only. Even if your page gets injected by malicious code somehow, it will not be executed in the browser because of the policy you defined in the CSP. By defining CSP policy you can restrict inline resource (inline JavaScript, CSS) and untrusted resources before implementing CSP you need to make sure that the browsers also support your CSP tags. For further reading on CSP, you can visit https://www.w3.org/TR/CSP/
Useful Links:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-secure-wordpress-application/
