Cross-site scripting attacks: A cheat sheet

Discussion in 'other security issues & news' started by ronjor, Dec 3, 2018.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    78,789
    Location:
    Texas
    By Brandon Vigliarolo December 3, 2018
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,592
    Location:
    Canada
    Thanks Ron! XSS doesn't get nearly the attention it merits in these forums. It's always lesser threats that get discussed in depth and at length instead.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    78,789
    Location:
    Texas
    He explained it very well. :thumb:
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    It would have been even better if he gave more clear examples of how such an attack would work. It's still not completely clear to me. And I don't think I have ever been exploited by an XSS attack in over 20 years of web browsing.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,592
    Location:
    Canada
    This site might offer some clearer examples and explanation. BTW, XSS is one of the reasons why browser extensions like NoScript and uBlockO are available and recommended.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    OK thanks, will do some reading and it does seem to be more clear about this subject.
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    19,922
    How to Prevent Cross-Site Scripting (XSS) Attacks
    August 22, 2019
    https://blog.rapid7.com/2019/08/22/how-to-prevent-cross-site-scripting-xss-attacks/
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    19,922
    What is cross-site scripting (XSS)?
    September 16, 2019
    https://www.itpro.co.uk/cross-site-scripting-xss/34411/what-is-cross-site-scripting-xss
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,779
    It turned out that input sanitization, particularly blacklisting, doesn't work in real world, and it's more so in the HTML5 era where many more attributes have been added. The rule of thumb to prevent XSS is escaping at HTML generation, and now we have CSP. CSP can be headache for webmaster, but even report-only mode makes sense and older headers like X-XSS-Protection & X-Content-Type-Options are still available, tho many sites don't adopt them.
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,779
    100% agreed. Each security measure should be prioritized by what is most likely pathway your data may be leaked. Once I learned malware protection, I moved to focus on these web threats and router security. Next I looked at online services, hardened passwords and reduced info on them, at the same time evaluated each services for their security using various methods and closed or switched some services. Now I'm trying to secure my family and colleagues.
    If you know none of your username, password, etc. have ever been leaked, you'll be right. If not, how can you know? Ofc when a big name like Twitter had a XSS vuln, it made news. But for less popular services nothing is sure and XSS vuln is too much prevalent among them. There's no client-side "scanner" to see if you're affected. Just pray all your services don't have such a vuln, or criminals overlook them, or they have sufficient detection system and diligently report you about data leakage.

    We take security measures not because we'll be affected but as a proactive measure as there's a little probability. The probability you get infected would be close to 0% except supply chain attack, but that of getting to be victim of XSS would be much higher if you don't take any measure. We once talked about Opera's what-is-now-called supply chain attack. After that I stopped using all unnecessary software including CCleaner as a proactive measure. We know what happened after that.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,592
    Location:
    Canada
    Thanks Yuki, I'm glad I'm not the only one :) So much prevention depends on the server's admin doing a thorough job on hardening their web applications to prevent XSS. Honestly I don't think about XSS that much at all, but I know it's a real and serious threat. On my end I use script control with a browser extension and browser hardening.
     
  12. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,779
    Yeah, I don't too but it's at least more worth considering than fearing about a highly sophisticated targetted attack. If you don't grobally allow scripts/frames for your important sites, you'll be safe from not only XSS but also Clickjacking and some CSRF. Preventing all CSRF requires hard-mode or uMatrix, but there's an alternative approach to prevent all of them: separate browser profiles so when you login to a site or purchase sth use a dedicated profile for that while keep all other browsing on another profile (or another browser). Firefox's tab sandbox is yet another way to achieve the same.

    Of note, forcing "SameSite=Lax" which I noted here mitigates some CSRF and many timing attacks such as Twitter-Silhouette & several TLS side-channels. If you use Firefox, changing "network.cookie.sameSite.laxByDefault" to True have the same effect. I've been browsing with them turned on, so far I've found some embedded videos don't work because of this - as those services have not added SameSite=None to their cookies.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.