Is your website XSS vulnerable?

Cross-site scripting (XSS) is injection attack, similar to SQL injection. Instead of injecting SQL query, here attacker injects malicious code in JavaScript. The victim is more of the user than the application.

An attacker injects malicious code usually embedding a JavaScript in a trusted Website. From the trusted server, the code gets transferred to a victim’s HTML enabled agent (browser or email client) where it is interpreted as executable code instead of data.  While the malicious code runs with the same privileges of an authorized script, user (victim) is under false belief that code is from the trusted web site.  The cross scripting attacks occur in 2 ways.

  • Where the injected code gets permanently stored on the target servers such as database and becomes part of the dynamic content of the website that is rendered on the browser.
  • The injected code is made available as link in the email. when user clicks the email link, the malicious code goes to vulnerable web server and then moves to the user’s browser.  The browser would execute the script, that appears to come from the trusted web server.
  • The injection happens via input fields on HTML page or inside the client script that accepts or returns back data from user’s browser.(more inside DOM model of user’s browser)

These attacks can take and expose the user’ session cookie and sometimes expose files present on the user machine to the hacker. Sometimes they spoil the rendering of the user interface and spoil user experience. While this flaw can be easily corrected by the developers, once they are detected or once the developer is aware of the risks, hackers find it also east to detect once an application is deployed and is accessible over internet.

Hackers and Developer’s both can leverage applications like XSSer, XSSploit to find this type of vulnerability. It is better that development team identifies these flaws using these tools as part of testing product or website and enable the developers to fix them ahead of deployment.

With more of data and execution getting handled by java script communicating to Web Service on server independently, the scope of this vulnerability increases. Simple developer practices can easily reduce risk due to this vulnerability

  • Validate input: Each input field in HTML page needs to be validated for script tags. This is important and may not be sufficient to prevent all XSS attacks. Be aware of the danger when input fields allow entering of invalid characters to suit user requirement.
  • Encoding: Can we encode the inputs in a field and present the same as safe string for HTML use? This prevents malicious code from executing.  There are special libraries that provide encoding methods. In the same way, any data that is send to user’s browser can be HTML entity encoded.  This makes any malicious code to become harmless display characters on the user’s browser.

Check whether your website is free of XSS vulnerability. If static code analysis is performed for your C# or java code, it is time to check whether your JavaScript code is also subjected via static code analysis.

Used following links to understand XSS related flaws related to knockout.js and also link to secured library

If you want to allow users to customize their web page using HTML and CSS, please also take care of XSS vulnerability.