There may be several places where scripting can be embedded into a webpage or web application. Malicious scripts are embedded through input fields placing between <script> ……….</script> tags. Since the user input is placed directly on the comment or forum posting. If any user visits the page having the comments or forum post including such malicious codes, an attacker will attack the visitor’s browser. Other HTML tags such as <img>, <embed>, <frame>, <frameset>, <applate>, <iframe>, <meta>, <object> and <style> are also vulnerable to script injection.
Types of XSS Attacks
Since all of the XSS attacks will execute malicious codes to the victim’s browser. XSS attacks may be divided into three types.
1. Persistent XSS
It is the type of XSS attack where the malicious scripts are called from the website or web applications database. In this type of attack, the attacker will insert malicious codes into the website’s database through input fields at first. The victim’s browser then requests stored scripts from the database and the attackers will be conducted successfully.
2. Reflected XSS
It is the type of XSS attack, where the malicious scripts are originated from victims request. Here the attacker will send the URL containing malicious scripts to the victim. When the victim is clicked on that URL, the real page is loaded and it’s content changed by the script that is embedded in the URL. Then the attacker will receive the victim’s sensitive data and cookies to the attacker’s server. Such scenarios created on this XSS attack is also called phishing. Phishing means presenting the user a completely fake site that cannot be distinguished from the original site.
Recommended: Best Techniques for Combating Phishing Attacks
3. DOM Based XSS
DOM-based XSS attack is slightly different than reflected XSS attack. In DOM-based XSS attack, the victim’s browser until the script within the page executed. Here the original script directly uses the user input and adds HTML codes to the page. The malicious script is injected into the page using innerHtml attribute of HTML tags.
Preventing From XSS AttacksIn order to prevent your website or the web application from the cross-site scripting (XSS), you have to secure the input handling of your website. Encoding and validation are the most common way of performing secure input handling. Encoding is the way in which we will escape the user input so that the browser will interpret it only as data and not able to execute as a code.
Validation is another way of preventing your website or the web application. While validating the inputs, we will filter the user input, so that the browser will interpret it as a code without including malicious commands. In web development, we can validate the user’s data with allowing some HTML elements such as <em>, <strong> but disallowing other HTML elements such as <script>.
There are many contexts in a web page where user input might be inserted. We have to escape the HTML characters for handling user input on each of the contexts. According to XSS (Cross Site Scripting) Prevention Cheat Sheet, following are the contexts where the user input might be inserted and have to escape the user data before inserting into the webpage.
1. On HTML Element Content
If you are allowing user input directly into HTML body on your webpage with allowing normal styling tags like div, p, b, i, em etc. You have to escape the HTML characters before inserting into the webpage from input fields. You can escape the following characters with HTML entity encoding to prevent executing the code.
& → &
< → <
” → "
‘ → '
/ → /
2. On HTML Common Attributes
If you are inserting user data into common HTML attribute values like name, value, width etc. You have to escape all the characters with ASCII values less than 265 with the &#xHH format. In order to prevent from inserting the malicious codes on attribute values.
4. On CSS Property Value
If you are using user’s data into a stylesheet or style tag, it can be the cause of XSS attack. In order to prevent your webpage from possible attacks, you have to escape all characters with ASCII values less than 256 with /HH escaping format.
5. On URL Parameter Values
There may be the possible injection of malicious codes when you are using user’s data into URL parameter value. In order to prevent such attacks, you have to escape all characters with ASCII values less than 256 with the %HH escaping format except alphanumeric characters.