Cross-Site Scripting ( XSS )

Nilay
4 min readMar 17, 2023

--

Hello There,

Thank you for taking the time to read the write — up! I appreciate it!

Today’s content is going to be on understanding ‘Cross-Site Scripting ( XSS )’

The content is completely based on my personal experiences & knowledge, interactions with incredible people in the App Sec and Software Development space, and a lot of reading and secure coding.

In this article, I’ll try to simplify the content in basics. I’m sure that readers will have their own thoughts and comments, and I welcome any feedback & discussion.

Views / Comments / Opinions are my own and not of my past / current employer.

Let’s learn together!

What is XSS?

In simple words, XSS is a type of application security vulnerability that allows an attacker to inject malicious code in a web page.

This malicious code executes within the context of the victim’s browser, allowing the attacker to steal the victim’s session and also giving the ability to steal data.

Different types of XSS:

Stored ( Persistent ) XSS: In stored XSS, the malicious scripts gets saved in a server permanently. What this means is that, the malicious hacker must find a vulnerability within the website that allows to inject a malicious script. When the victim queries the stored information, the malicious script that was injected by the hacker, is retrieved from the server and executed in the victim’s browser.

Reflected XSS: In reflected XSS, an attacker inserts malicious code/script into a website, which is reflected back to the victim’s browser. What this means is that, A malicious HTTP response contains the exact same data (not being validated nor encoded ) that an application received in an HTTP request.

Dom ( Client — Side ) XSS: In DOM XSS, an attacker inserts a malicious code / script to alter the DOM of a web page of the victim’s browser.

How to fix XSS:

Now, every parameter and variable in a webpage needs to be secured.

An understanding — every parameter must go through input validation and output encoding ( santizing ) ( as per the data context ).

I will be listing down various steps on how to perform output validation / encoding:

Dot Net

AntXssEncoder — https://learn.microsoft.com/en-us/dotnet/api/system.web.security.antixss.antixssencoder?view=netframework-4.8

Namespace:System.Web.Security.AntiXss

Assembly:System.Web.dll

Class : AntiXSSEncoder

using System.Web.Security.AntiXss;

....
string inputStr = "<script>alert('a test xss attack script');</script>";
string encodedInput = AntiXssEncoder.HtmlEncode(inputStr, false);
....

In the above example, inputStr contains one of the many malicious script for a XSS attack. HtmlEncode method is used to encode the data within the string that is safe to be used as an output to a web page. If you notice, the second parameter within the HtmlEncode() is set to false. What this means is that — it is telling the encoding function not to encode per HTML 4.0 named entities. If you would want to encode as per HTML 4.0 entities, then you can set it as true.

Some other important methods within AntiXssEncoder() when it comes to encoding as per the context of the value, I won’t go much into their details, but will list couple of them out here -

CssEncode() — Encodes the specified string for use in cascading style sheets (CSS)

using System.Web.Security.AntiXss;
...
string inputCss = "inside a css attribute value: url('" + "https://example.com?param=" + "value" + "')";
string encodedInput = AntiXssEncoder.CssEncode(inputCss);
...

HtmlAttributeEncode() — Encodes and outputs the specified string for use in an HTML attribute.

...
using System.Web.Security.AntiXss;
string input = "Inside an HTML attribute: href=\"" + "https://example.com?param=" + "value" + "\"";
string encodedInput = AntiXssEncoder.HtmlAttributeEncode(input);
...

Java

Utilize ESAPI’s Encoder()

Link : https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
...
String input = "<script>alert('XSS');</script>";
Encoder encoder = ESAPI.encoder();
String encodedInput = encoder.encodeForHTML(input);
...

Some other important methods within ESAPI’s Encoder when it comes to encoding as per the context of the value, I won’t go much into their details, but will list couple of them out here -

encodeForHTMLAttribute() — Encode data for use in HTML attributes.

encodeForJavaScript() — Encode data for insertion inside a data value or function argument in JavaScript

encodeForXMLAttribute() — Encode data for use in an XML attribute

Output Encoding in Javascript

Never use innerHTML. innerHTML is a property of DOM and is used to set or retrieve HTML content from an element. innerHTML is dangerous because it renders the content as pure html itself and not text.

Instead of innerHTML, utilize textContent()

<!DOCTYPE html>
<html>
<head>
<title>textContentExample</title>
</head>
<body>
<div id="exampleTextContent"></div>
<script>
// Assume this user input comes from an untrusted source, like a form
const userInput = '<script>alert("XSS attack!");</script>'
const div = document.querySelector("exampleTextContent");
div.textContent = userInput;
</script>
</body>
</html>

Note: In the above example, any script tags in the user input will be treated as plain text, and will not be executed as scripts when the page is rendered.

JSTL ( *.jsp): In JSTL, you can use the <c:out> tag to escape output and prevent XSS.

<c:out value="${userInput}" />

Bookmark the page as I will be keep on updating code samples.

In my next post, I will touch upon XXE Injection.

Comments / Feedback are always welcomed as I am always looking to improve the content and be better at it.

Source write-up: My own experience in App Sec, paraphrasing the content from multiple online websites, Open AI, DALL-E, Developer and NLP tools.

Thank you!

Add me up on LinkedIn

--

--