• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

Effective Ways to Prevent Cross Site Scripting(XSS) Attacks

by wing

Not every developers pay equal importance to web security and vulnerabilities, especially about cross site scripting when they start coding. Their primary goal is to get the project finished Websites developed with unsecure coding can be easily exploited by the attackers. There is no way your browser will prevent XSS automatically unless you disable your browser’s ability to run scripting languages such as JAVA script. Or only visit the sites that you trust.

Below is the list of tips to defend  XSS attacks:

Input and output filtering

Filtering can be done in the form of input sanitation, output sanitation and input blocking. Once you implement input sanitation, your page will catch invalid input/content. When you enter a data or input, webpage will check if the data is in valid format that is acceptable according to you. If a user places wrong input, you page will show a message to the user stating which input it expects

There is not much difference between input sanitation and input blocking. The only difference is input blocking reflects back the blocked content in the page. Many web developers prefer input sanitation over input blocking because it will scrape all the unwanted or invalid data before sending to the application.

Output sanitation is applied to the data that is sent back from the server side to the clients’ browser. Depending on the types of XSS attacks that you want to deflect, you can choose the right filtering method for your apps.

Input encoding

Encoding is a way to make sure that user input is treated as data by the browsers. When browser treats encoded input as data, not as code, there is no chance of execution of codes.

Example of a JavaScript code:

<script>

function myFunction() {

document.getElementById("mydemo").innerHTML = "Change your header tex";

}

</script>

 

If we encode the above code, it will look like this:

&lt;script&gt;

function myFunction() {

document.getElementById(&quot;mydemo&quot;).innerHTML = &quot;Change your header tex&quot;;

}

&lt;/script&gt;

 

Since the special tag has been escapade, the web browser will not parse any of the input as code; instead it will parse them as data.

Remember that if users have to input URL, you cannot prevent XSS with encoding technique. In this case you better use input validation/sanitation technique.

Note — An XSS vulnerability can exists in a website if the malicious script or codes that the attacker inserts into the site get parsed in the browser.

Select a secure browser

Always use a web browser that has strong security features such as Firefox and Chrome. Also, read about browser security and try to find out if there are any known vulnerabilities in your browser. Update your browser when there is a new update release. Disable the unnecessary browser plugins and extensions. Also, be aware of overly long or short URLs that you may find in sites you visit. Avoid clicking them unless you are sure about it.

Remember that there various types of XSS attacks such as Persistent XSS, reflected XSS and DOM-based XSS and to prevent all these types of website vulnerabilities, you need to perform secure input filter in both the client side and the server side.

Use content security policy (CSP)

If you are looking to add an extra layer of security against XSS attack, you may use content security policy in your webpages. CSP adds a HTTP header: Content?Security?Policy in the webpage, which means if you pages have CSP policy the web browser will download resources such as JavaScript, CSS etc. from trusted sources only. Even if your page gets injected by malicious code somehow, it will not be executed in the browser because of the policy you defined in the CSP. By defining CSP policy you can restrict inline resource (inline JavaScript, CSS) and untrusted resources before implementing CSP you need to make sure that the browsers also support your CSP tags. For further reading on CSP, you can visit https://www.w3.org/TR/CSP/

 

Useful Links:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

http://excess-xss.com/

http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-secure-wordpress-application/

 

Related Posts:

  • Top 15 Network Security Vulnerabilities that System Administrators Must Know

Filed Under: Internet Security and Safety Tagged With: cross site scripting, vulnerability, xss

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 8 Effective Ways to Impro...
  • 3 Steps to Install Miniku...
  • Yahoo Mail Security Setti...
  • How to Setup AWS CloudFro...
  • 5 Steps to Setup a Nexus3...
  • 3 Simple Steps to Capture...
  • How to Configure AAA (TAC...
  • How to Install AWS CLI an...
  • What is Digital Certifica...
  • How to Configure SNMP in...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com