XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc.
XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected XSS which involves reflecting malicious script into the page, and it would be activeted when the link has been clicked.
It is hard to detect XSS attacks, I try to give some detection and prevention suggestions.
Detection:
Common XSS attacks use HTML tags like <script></script>, <BODY>, <INPUT>, or <IMG>. Atackers also can use encoding to bypass safeguards like below;
XSS Script: <script>alert(“XSS”)</script>
HEX encoded: %3cscript%3ealert(“XSS”)%3c/script%3e
It is important to check logs to detect these tags to detect an XSS attack. Double encoding can be also used by attackers since some WAFs can detect encoding on the traffic;
Double encoded: %253cscript%253ealert(1)%253c/script%253e
Some applications can block the lower case strings, so attackers can toggle the code to bypass hem;
Toggle case: <sCRipT>alert(“XSS”)</ScRiPt>
It is also possible to detect XSS attacks in logs with some regex;
To detect an attack like; <script>alert(1)</script>
It is possible to check with this regex; ((\3C)|<)(\2F)|\/*(script)((\%3E)|>)
Prevention:
- To prevent against XSS attacks, web application must perform HTML encoding on the output sent to the users. Thus, in the user side, web browsers can only display but cannot run the scripts placed in the request. HTML encoding prevents the execution of the response
- WAF is the most important prevention method against XSS. WAFs can also detect and block similar attacks like file injection
- All non-alphanumeric characters must be checked before displaying the users’ input in the web application
- PKI must be used for authentication
- A security review of the code is needed to identify XSS vulnerabilities and search all of the places where the input from an HTTP request comes
- Attackers can use different HTML tags, so vulnerability scanners provides ease to check all of them in the web application
- Check headers, cookies, string form and hidden fields in the code with a security perspective
- Input fields should be limited to a maximum character count when you allow user input in the web application
- Do not publish users’ input directly in forums and comment fields, all comments should be reviewed with a security perspective firstly
- A proxy and web content filtering must be used in the organization to filter unnecessary websites, especially like forums
- Do not trust HTTPS when it comes to XSS