December 30, 2010

Mitigating Cross Site Scripting

Attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user  in order to gather data from them besides spoiling the victims PC with different things like DNS poisoning, making changes to the system security, cookie theft and adware etc

XSS holes can allow Java script insertion, which may allow for limited execution. If an attacker were to exploit a browser flaw (browser hole) it could then be possible to execute commands on the client's side. If command execution were possible it would only be possible on the client side. In simple terms XSS holes can be used to help exploit other holes that may exist in your browser.

Methods to stop XSS scripting:

Contextual output Encoding or escaping the string input:
Different escaping techniques like JavaScript escaping, HTML Entity encoding, URl encoding- here some methods are used depending on the location where the string needs to be placed.
Just keeping the HTML scripting is not sufficient to keep it safe, the coding should be more complicated.

Disabling scripts: 

This is another best way to stop XSS . Some sites and some web applications need not have client- side scripts so users can disable scripting in their browsers so that they are less susceptible to XSS. 

  • Firefox comes with an add-on to stop cross site scripting.
  • Opera and IE comes with Security Zones to prevent this by using specific sites.   
 Another best method is to make the untrusted HTML sites go through the HTML policy to validate it and to ensure that it does not contain any XSS. 

Cookie security:
 Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies. To mitigate this web applications will have tie the cookies with the IP address of the user who uses it and allows that user only which provides protection for most of the XSS but in that case attacker may use webproxy to tamper the IP of that user and inject XSS.

New technologies Java Script Sand boxing, auto escaping template that are being developed by Mozilla are useful in defending our systems from XSS.


I'm truly enjoying the design and layout of your site. It's a very easy
on the eyes which makes it much more pleasant for me to come here and visit more often.

Did you hire out a designer to create your theme? Exceptional work!

Have a look at my page :: Dayton Movers

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More