Preventing XSS Attacks

7/28/2019 Preventing XSS Attacks

1/10

Preventing XSS Attacks

Submitted by Jeremy Pullicino on March 22, 2011 10:24 pm2 CommentsCross Site Scripting (XSS) attacks are amongst the most common types of attacks against web

applications. XSS attacks all fall under the same category however a more detailed look at the

techniques employed during XSS operations reveals a multitude of tactics that exploit a variety of

attack vectors. A detailed look at XSS attacks can be found in the following article; Cross-Site

Scripting attack.

This article guides you through the most common and useful XSS prevention mechanisms which

are Filtering and Escaping.

Filtering for XSSAll XSS attacks infect your web site via some form of User Input. XSS attack code could come

from a simple submitted by your users, or could take a more complex route such as a

JSON script, XML web service or even an exploited cookie. In all cases the web developer should

be aware that the data is coming from an external source and therefore must not be trusted.

The simplest and arguably the easiest form of XSS protection would be to pass all external data

through a filter which will remove dangerous keywords, such as the infamous tag,

JavaScript commands, CSS styles and other dangerous HTML markup (such as those that contain

event handlers.)

Many web developers choose to implement their own filtering mechanisms; they usually write

server-side code (in PHP, ASP, or some other web-enabled development language) to search forkeywords and replace them with empty strings. I have seen lots of code that makes use of Regular

Expressions to do this filtering and replacing. This technique is in itself not a bad one, however

unfortunately the hackers usually have more experience than the web developers, and often manage

to circumvent simple filters by using techniques such as hex encoding, unicode character variations,

line breaks and null characters in strings. These techniques must all be catered for and that is why it

is recommended to use some sort of library that has been tried and tested by the community at large.

Many libraries exist to choose from, and your choice will primarily depend on the backend

technology that your web server uses. What is important is that you choose a library that is regularly

maintained by a reliable source. XSS techniques keep changing and new ones emerge all the time

so your filters will need to be updated periodically to keep abreast with the changing attacks.If you are using Java, then a good place to go is XSS Protect, a project hosted on Google code. It

claims to filter all known XSS attacks from HTML code. PHP boasts a more comprehensive

library called HTML Purifier which licensed as Open Source and can be customised depending on

your needs. HTML Purifier also boasts strict standards compliance and better features than other

filters.

Another interesting library you can use is HTML Markdown which converts text from your users

into standard and clean XHTML. This gives the advantage that minimal HTML Markup can exist in

your users input (such as bold, underline and colours). HTML Markdown is a Perl library and does

not explicitly advertise XSS prevention features so it probably should not be your only line of

defence.

The side-effect with these filtering techniques is that legitimate text is often removed because it hits

one or more of the forbidden keywords. For example, I would not be able to publish this article if
http://www.acunetix.com/blog/author/jeremyp/http://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/blog/author/jeremyp/


2/10

the blogging software I used was filtering out all my HTML tags. I would not be able to write things

like and alert(you have been hacked) as these would be filtered out and you would

not see them. If you want to preserve the original data (and its formatting) as best as possible you

would need to relax your filters and employ HTML, Script and CSS Escaping techniques, all of

which I explain in the next section.

Escaping from XSS

This is the primary means to disable an XSS attack. When performing Escaping you are effectively

telling the browser that the data you are sending should be treated as data and should not be

interpreted in any other way. If an attacker manages to put a script on your page, the victim will not

be affected because the browser will not execute the script if it is properly escaped.

Escaping has been used to construct this article. I have managed to bring many scripts into your

browser, but none of these scripts has executed! The technique used to do that is called, escaping, or

as the W3C calls it Character Escaping.

In HTML you can escape dangerous characters by using the sequence followed by the its

character code.

An escaped < character looks like this: character is escaped like this: >. Below is a

list of common escape codes for HTML:

" ---> "

# ---> #

& ---> &

' ---> '

( ---> (

) ---> )

/ ---> / ---> ;

< ---> ---> >

Escaping HTML is fairly easy, however in order to properly protect yourself from all XSS attacks

you require to escape JavaScript, Cascading Style Sheets, and sometimes XML data. There are also

many pitfalls if you try to do all the escaping by yourself. This is where an Escaping Library comes

useful.

The two most popular escaping libraries available are the ESAPI provided by OWASP and

AntiXSS provided for Microsoft. ESAPI can plug into various technologies such as Java, .NET,

PHP, Classic ASP, Cold Fusion, Python, and Haskell. AntiXSS exclusively protects Microsofttechnologies and is therefore better suited in an all-Microsoft environment. Both libraries are

constantly updated to keep up with the latest hacker techniques and are maintained by industry

experts who understand changing tactics and emerging technologies such as HTML5.

When to Escape

You cannot just simply escape everything, or else your own scripts and HTML markup will not

work, rendering your page useless.

There are several places on your web page which you need to ensure are properly escaped. You can

use your own escaping functions (not recommended) and you can use the existing ESAPI andAntiXSS libraries.


3/10

Use HTML Escaping when

Untrusted data is inserted in between HTML opening and closing tags. These are standards tags

such as , , etc

For example:

IF THIS DATA IS UNTRUSTED IT MUST BE HTML ESCAPED

Use JavaScript Escaping when

Untrusted data is inserted inside one of your scripts, or in a place where JavaScript can be present.

This includes certain attributes such as STYLE and all event handlers such as ONMOUSEOVER

and ONLOAD

For example:

alert('IF THIS DATA IS UNTRUSTED IT MUST BE JAVASCRIPT

ESCAPED')


4/10

Above is a

diagram visually representing the internet boundary and where filtering and escaping must happen

to ensure XSS protection.

XSS Attacks are a moving target

In this article I attempted to collect as many recommendations and best practices used by security

researchers worldwide. This recommendations set out in this article are by no means exhaustive,

however they should be a good starting point for your XSS defence endeavours.

Technology is changing, and hacker attacks are getting more sophisticated but by understanding the

basics set out in this article you can be prepared to prevent future attack techniques that will most

definitely arise.

The first step in defending against XSS attacks is to code your web applications carefully and use

the proper escaping mechanisms in the right places. After that comprehensive testing should be

performed, ideally using an automated XSS scanner. When updates are made to your web

applications, you should scan the affected pages again to ensure that no new vulnerabilities have

been exposed.

Share and Enjoy:
http://reddit.com/submit?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attackshttp://twitter.com/home?status=Preventing%20XSS%20Attacks%20-%20http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2Fhttp://www.acunetix.com/blog/wp-content/uploads/2011/02/XSS_Filter_Escape.png


5/10

2 Comments

mcksays:

April 12, 2011 at 1:30 pm

Theres another open sourced library to do this called XSS-HTML-FILTER at http://xss-

html-filter.sf.net

Norways second largest website describes how they use it here

http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/

Sobre prevencin de Cross Site Scripting Mbpfernand0's Blogsays:

May 19, 2011 at 4:35 pm

[...] en seguridad, Etiquetado consejos, Cross,, desarrollo, Scripting,, seguridad, site,, XSS

En Preventing XSS Attacks un artculo generalista sobre el tema. Recomiendan un proyecto

alojado en Google Code: If you are [...]

Cross Site Scripting AttackWhat is Cross Site Scripting?

Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise

websites and web applications and make off with a treasure trove of sensitive data including credit

card numbers, social security numbers and even medical records.

Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most

common application layer hacking techniques.

In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID) clearly

shows that whilst many different attack methods exist, SQL injection and XSS are the most popular.

To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and

Stolen Credentials could all be side-effects of an XSS attack.
http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://xss-html-filter.sf.net/http://xss-html-filter.sf.net/http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/http://mbpfernand0.wordpress.com/2011/05/19/sobre-prevencion-de-cross-site-scripting/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11852http://xss.htm/http://www.facebook.com/share.php?u=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&t=Preventing%20XSS%20Attackshttp://technorati.com/faves?add=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2Fhttp://www.google.com/bookmarks/mark?op=edit&bkmk=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&annotation=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attackshttp://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&source=Acunetix+Web+Application+Security+Blog+Acunetix+Web+Application+Security+Blog&summary=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://delicious.com/post?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&notes=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&bodytext=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://xss-html-filter.sf.net/http://xss-html-filter.sf.net/http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/http://mbpfernand0.wordpress.com/2011/05/19/sobre-prevencion-de-cross-site-scripting/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11852http://xss.htm/


6/10

In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities

in the code of a web application to allow an attacker to send malicious content from an end-

user and collect some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a

wide variety of users according to set preferences and specific needs. This arms organizations with

the ability to provide better value to their customers and prospects. However, dynamic websites

suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting

attacks on their data.

"A web page contains both text and HTML markup that is generated by the server and interpreted

by the client browser. Web sites that generate only static pages are able to have full control overhow the browser interprets these pages. Web sites that generate dynamic pages do not have

complete control over how their outputs are interpreted by the client. The heart of the issue is that if

mistrusted content can be introduced into a dynamic page, neither the web site nor the client has

enough information to recognize that this has happened and take protective actions." (CERT

Coordination Center).

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML,

or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in

order to gather data. The use of XSS might compromise private information, manipulate or steal

cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on

the end-user systems. The data is usually formatted as a hyperlink containing malicious content andwhich is distributed over any possible means on the internet.

As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by

using a browser to test the dynamic website response. The attacker also needs to know some

HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking,

in order to attack a XSS vulnerable website.

Any web page which passes parameters to a database can be vulnerable to this hacking technique.

Usually these are present in Login forms, Forgot Password forms, etc

N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with

Cascading Style Sheets (CSS).

The Theory of XSS

In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side
http://javascript.htm/http://javascript.htm/http://javascript.htm/


7/10

script. When a user visits this web page the script is downloaded to his browser and executed. There

are many slight variations to this theme, however all XSS attacks follow this pattern, which is

depicted in the diagram below.

As a web developer you are putting measures in place to secure the first step of the attack. You want

to prevent the hacker from infecting your innocent web page with his malicious script. There are

various ways to do that, and this article goes into some technical detail on the most important

techniques that you must use to disable this sort of attack against your users.

XSS Attack Vectors

So how does a hacker infect your web page in the first place? You might think, that for an attacker

to make changes to your web page he must first break the security of the web server and be able toupload and modify files on that server. Unfortunately for you an XSS attack is much easier than

that.

Internet applications today are not static HTML pages. They are dynamic and filled with ever

changing content. Modern web pages pull data from many different sources. This data is

amalgamated with your own web page and can contain simple text, or images, and can also contain

HTML tags such as

for paragraph, for image and for scripts. Many times the

hacker will use the comments feature of your web page to insert a comment that contains a script.

Every user who views that comment will download the script which will execute on his browser,

causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a

malicious script, which if not filtered by the Facebook servers will be injected into your Wall andexecute on the browser of every person who visits your Facebook profile.

By now you should be aware that any sort of data that can land on your web page from an external

source has the potential of being infected with a malicious script, but in what form does the data

come?

The tag is the most popular way and sometimes easiest to detect. It can arrive to your

page in the following forms:

External script:

Embedded script:


8/10

alert(XSS);

The tag can contain an embedded script by using the ONLOAD event, as shown below:

The BACKGROUND attribute can be similarly exploited:

Some browsers will execute a script when found in the tag as shown here:

There are some variations of this that work in some browsers:

The tag allows you to import HTML into a page. This important HTML can contain a

script.

If the TYPE attribute of the tag is set to IMAGE, it can be manipulated to embed a

script:

The tag, which is often used to link to external style sheets could contain a script:

The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an

image:

The same applies to the tag, used to separate cells inside a table:

The tag, similar to the and tags can also specify a background and

therefore embed a script:

The STYLE attribute can also be manipulated in the following way:

The tag can be used to pull in a script from an external site in the following way:


9/10

If the hacker places a malicious script inside a flash file, it can be injected in the following way:

Is your site vulnerable to Cross Site Scripting?

Our experience leads us to conclude that the cross-site scripting vulnerability is one of the mosthighly widespread flaw on the Internet and will occur anywhere a web application uses input from a

user in the output it generates without validating it. Our own research shows that over a third of the

organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the

trend is upward.

Example of a Cross Site Scripting Attack

As a simple example, imagine a search engine site which is open to an XSS attack. The query

screen of the search engine is a simple single field form with a submit button. Whereas the results

page, displays both the matched results and the text you are looking for.

Search Results for "XSS Vulnerability"

To be able to bookmark pages, search engines generally leave the entered variables in the URL

address. In this case the URL would look like:

http://test.searchengine.com/search.php?q=XSS%20

Vulnerability

Next we try to send the following query to the search engine:

alert ('This is an XSS Vulnerability')

By submitting the query to search.php, it is encoded and the resulting URL would be something

like:

http://test.searchengine.com/search.php?q=%3Cscript%3

Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2

9%3C%2Fscript%3E

Upon loading the results page, the test search engine would probably display no results for the

search but it will display a JavaScript alert which was injected into the page by using the XSS

vulnerability.

How to Check for Cross Site Scripting Vulnerabilities

To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web

Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scriptingvulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can

fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner

will also check forSQL injection & other web vulnerabilities.

Acunetix Web Vulnerability Scannerscans forSQL injection, Cross site scripting, Google hacking

and many more vulnerabilities.

Preventing Cross Site Scripting Attacks

The purpose of this article is define Cross Site Scripting attacks and give some practical examples.

Preventing XSS attacks requires diligence from the part of the programmers and the necessary

security testing. You can learn more about preventing cross-site scripting attacks here.

Scanning for XSS Vulnerabilities with Acunetix Web Vulnerability Scanner Free Edition!

To check whether your website has cross site scripting vulnerabilities, download the Free Edition
http://sql-injection.htm/http://www.acunetix.com/vulnerability-scanner/http://sql-injection.htm/http://google-hacking.htm/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/http://sql-injection.htm/http://www.acunetix.com/vulnerability-scanner/http://sql-injection.htm/http://google-hacking.htm/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/


10/10

from http://www.acunetix.com/cross-site-scripting/scanner.htm. This version will scan any website /

web application forXSS vulnerabilities and it will also reveal all the essential information related to

it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a

quick exercise (depending on the size of the web-site).

Articles on Web Security Exploiting a cross-site scripting vulnerability on Facebook

CRLF Injection attacks and HTTP Response Splitting

Apache Web Server Security

IIS Web Server Security

Web Server Security and Database Server Security

More Articles

White Papers on Web Security

A complete guide to securing a website

Why File Upload Forms are a major security threat

Finding the right web application scanner; why black box scanning is not enough

The Payment Card Industry Compliance - Securing both Merchant and Customer data.

Web Services - The Technology and its Security Concerns

More White Papers
http://www.acunetix.com/cross-site-scripting/scanner.htmhttp://xss.htm/http://website-auditing-wp.htm/http://upload-forms-threat.htm/http://rightwvs.htm/http://pci-compliance-wp.htm/http://web-services-wp.htm/http://www.acunetix.com/cross-site-scripting/scanner.htmhttp://xss.htm/http://website-auditing-wp.htm/http://upload-forms-threat.htm/http://rightwvs.htm/http://pci-compliance-wp.htm/http://web-services-wp.htm/

Documents

Preventing XSS Attacks