Web Security 07 — XSS Protection
1. Intro What is XSS
Cross-site scripting, abbreviated to “XSS”, is a way attackers can take over webpages. One may wonder the abbreviation should be “CSS”, but CSS is actually Cascaded Style Sheet.
The goal of an XSS attack is to gain control of JavaScript in the victim’s browser. Once a hacker has done that, there’s a lot of nasty stuff they can do: log your actions, impersonate you, steal your authentication cookies, and much more. XSS attacks can generally be categorized into two categories: stored and reflected.
Stored XSS Attacks
Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Reflected XSS Attacks
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
- Web Security 01 — Prepare
- Web Security 02 — Referrer
- Web Security 03 — X Powered By / Server
- Web Security 05 — X-Frame-Options
- Web Security 06 — CSP (Content Security Policy)
- Web Security 07 — XSS Protection
- Web Security 08 — Sniff
- Web Security 10 — CSRF
- Web Security 11 — CORS
- Web Security 12 — SQL Injection
2. Sample
This section, we will give a sample of reflected XSS Attacks. Since we have a blog system, sometimes a user has to search for some blogs. But suppose that we allow users to input anything without filtering.
This is the search page search_result.html :
To demo the X-XSS-Protection flag, we will send client the raw content, instead of a file (For static files, express will send file directly). And this isindex.js :
Now let’s start our website:
npm i
npm start
Scripts can be executed.
3. How to fix
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’), they can still provide protections for users of older web browsers that don’t yet support CSP.
X-XSS-Protection Header can be set as following 4 types:
0
1
1; mode=block
1; report=<reporting-uri>Let’s do a little modification to our indexSafe.js :
app.use(helmet.xssFilter());And start our safe website:
npm run-script startSafe
According to MDN, this should works in Chrome, but somehow it doesn’t. So the gif shows it only works in Safari. However, X-XSS-Protection header is set correctly:
What is this place? Yanhu, Nanjing, Jiangsu, China
