- Where the injected code gets permanently stored on the target servers such as database and becomes part of the dynamic content of the website that is rendered on the browser.
- The injected code is made available as link in the email. when user clicks the email link, the malicious code goes to vulnerable web server and then moves to the user’s browser. The browser would execute the script, that appears to come from the trusted web server.
The injection happens via input fields on HTML page or inside the client script that accepts or returns back data from user’s browser.(more inside DOM model of user’s browser)
These attacks can take and expose the user’ session cookie and sometimes expose files present on the user machine to the hacker. Sometimes they spoil the rendering of the user interface and spoil user experience. While this flaw can be easily corrected by the developers, once they are detected or once the developer is aware of the risks, hackers find it also east to detect once an application is deployed and is accessible over internet.
Hackers and Developer’s both can leverage applications like XSSer, XSSploit to find this type of vulnerability. It is better that development team identifies these flaws using these tools as part of testing product or website and enable the developers to fix them ahead of deployment.
With more of data and execution getting handled by java script communicating to Web Service on server independently, the scope of this vulnerability increases. Simple developer practices can easily reduce risk due to this vulnerability
- Validate input: Each input field in HTML page needs to be validated for script tags. This is important and may not be sufficient to prevent all XSS attacks. Be aware of the danger when input fields allow entering of invalid characters to suit user requirement.
- Encoding: Can we encode the inputs in a field and present the same as safe string for HTML use? This prevents malicious code from executing. There are special libraries that provide encoding methods. In the same way, any data that is send to user’s browser can be HTML entity encoded. This makes any malicious code to become harmless display characters on the user’s browser.
Used following links to understand XSS related flaws related to knockout.js and also link to secured library
- How to find XSS in Knockout.js Applications
- CRV2 ClientSideCodeJScript
- Security Issues with Single Page Apps
- Check your XSS filters
If you want to allow users to customize their web page using HTML and CSS, please also take care of XSS vulnerability.