Cross-site scripting is another type of attack that hackers use to cause damage, steal data, install malicious worms on web applications.
Today almost all the websites allow users to enter some data or comments. There are fields available in the application for comments, survey forms, search forms etc. Users have the facility to enter the data via these forms. Hackers take advantage of these forms to plant their scripts in applications. They put the scripts in the form of links.
When the user clicks the link it executes the scripts associated with it. This script can have logic to steal your cookie data, put a worm in your system, prompt you to enter username and password which hacker will steal. Sometimes they install the software on your PC to capture your keyboard strokes.
Once a site gets implanted with a malicious script then it can affect hundreds of users who visit the site and steal a lot of information. The scripts get executed in the browser and it steals all the information from the browser memory, it can redirect you to the hacker site. Hackers create fancy sites where you get redirected and they ask you to login with your
social media credentials. Once you enter the details it gets saved with hackers and they can use it to cause you damage.
How to Prevent cross site scripting attacks?
- Enable a Content Security Policy
As a website administrator, we should clearly define in our system what we want to allow and what we don’t want to allow user to input.To restrict that we should enable the Content Security Policy on our website. The administrator can define the untrusted domain restrictions, restriction to disallow the usage of scripts, images, and other media files.
These kinds of policies help you to have some protection. Today most of the browsers provide features to block the malicious scripts from executing.so only that you need to do is to enable those policies and features to make your application secure and roburst.
2. Apply encoding on Inputs
As we know now that the cross-site scripting is caused by scripts injection. It means it is an input given by hackers to our system. We can block this by treating this input as data, not as a command. In our application where we have the forms to take data inputs, we should apply the encoding on the input data. Encoding means we should tell our system that these forms are to accept data and not the commands. So any text entered in these forms must be treated as only pure text and not command.
Depending on your application technology, as a developer, you will need to find ways to enable this encoding. This can save your system from the deadly commands which scripts contain when they attack your system.
Almost all programming languages have some mechanisms to treat text as text and not a programming instruction.
3. Protection against untrusted HTTP data
OWASP provides a Cross-Site Scripting Prevention Cheat Sheet. This cheat sheet helps you to understand how you can protect your system against the
untrusted HTTP data.
To execute any command on a computer there are some specific steps that take place. As a security engineer, you should make sure that your application follows the escape sequences against any attempt to execute an executable. This should be detected from the input itself and blocked.
A script trying to attack your system will contain some of the sequences of instructions that will initiate an executable. To find this and block this
during the data verification steps, there should be a screening of inputs to identify these sequences.