Exposed to XSS? Regain Your Composure (and Security)
Posted by hyperguard on September 22, 2009
I recently read a very interesting article, Tech Insight: XSS Exposed, by Dark Reading’s John Sawyer. He discusses how a cross-site scripting (XSS) attack can steal a user’s credentials, exploit their Web browsers and take action on their behalf without their knowledge. I wanted to add some of my thoughts on this article and share ways users can prevent and protect themselves against these attacks.
As stated in the article, XSS is always caused by missing input validation, the place where hyperguard comes into play. It scans every request (and therefore every user input) for malicious code that wants to be stored or executed. When a user is tricked into clicking a link containing XSS, the request is denied by the distributed web application firewall (dWAF) and the script will not run. Also, the script will not get stored into a database if the dWAF prohibits the request with the data from entering the web application. The problem with persistent XSS is that it is typically done on a prepared site that has bait for the victim, resulting in running malicious code.
The mechanism behind the protection that hyperguard delivers is easy and contains blacklist rules. These patterns know what an XSS looks like and causes the dWAF to deny the request. The second and more secure approach is to whitelist all input in the application. This is more work, but it helps to create a very secure web application, where every user input is validated. XSS attacks can take on many forms so you should never trust input from users.
In John’s article, he mentions OWASP’s XSS Prevention Cheat Sheet, which provides detailed information on when and where encoding should be done. XSS attacks should be taken seriously because they do happen often and can be very costly for businesses. It is important to take the necessary steps to prevent them and learn how to protect yourself if they do occur.