Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Hello dear readers,
Published reports' statistics show "Cross-Site Scripting Attacks (XSS Attacks) " as the number one attack for exploited vulnerabilities on the WEB sites.
Are you aware about how to mitigate against it? Is there a silver bullet for that?
An old song* from 80's give us a clue:
(Replaces "house" by "WEB site")
"It's build a house where we can stay
Add a new bit everyday
It's build a road for us to cross
Build us lots and lots and lots and lots and lots"
Thinking from attackers perpective: a WEB site can add a 'new bit everyday' that means a potential vulnerability everyday if a threat modeling was not taken in consideration.
Below some suggested ways to mitigate from "Cross-Site Scripting Attacks (XSS Attacks) ". You will need to research for details if planning to apply them.
1) The DO and DO NOT:
DO:
Ÿ- Take advantage of ASP.NET’s RequestValidation
Ÿ- Take advantage of ASP.NET’s ViewStateUserKey
Ÿ- Consider IOSec for data encoding
Ÿ- Use the HttpOnly cookie option
Ÿ- Use the <frame> security attribute
DO NOT:
- Trust user input (remember: Human's factor)
- Echo client-supplied data without encoding
- Store secret information in cookies
2) Input validation
Ÿ First line of defense – can eliminate many possible vulnerabilities, but doesn’t necessarily eliminate all of them
3) Output encoding
Ÿ By encoding user-supplied data at display time, we can ensure that the client browser will interpret it literally
4) Platform features
Ÿ RequestValidation property
Ÿ ViewStateUserKey property
5) Server.HtmlEncode() doesn’t alwaysprotect your application
Ÿ It only encodes < > & “
6) Use IOSec (properly implemented)
Ÿ EncodeHtml()
Ÿ EncodeHtmlAttribute()
Ÿ EncodeVbs()
Ÿ EncodeJs()
Ÿ AsUrl()
A "new bit everyday" makes the race against attacks more and more challenging. XSS attacks still in the top. Above just a few suggestions. There's no a silver bullet.
Anyone concerned about XSS attacks must 'add a brick everyday' trying to protect a 'road for them to cross' .
Do you want to dig more in this subject? Some good sources to visit:
- Uncover Security Design Flaws Using The STRIDE Approach
Regards,
Marins
P.S.: *Quotation from song: "Build" by The Housemartins.