XSS is the most popular vulnerability in the web. Introducing new technology e.g. HTML5, CORS, Jinja2… also introduces new attack vectors. However, many people underestimate the abilities of XSS. XSS can be easy to find, yet not so easy to mitigate. So, what an XSS is actually able to do:
- Steal user cookie
- Retrieve forms data, including CSRF token
- Retrieve the content of the DOM
- Retrieve local/session storage
- Capture user’s key pressed
- Capture the full DOM
- Capture the page screenshot
- Take a webcam snapshot
- and more
To be stealthy, XHR should be used to exfiltrate the data. In this case, CORS needs to be configured in the attacker domain so that it allows external request.
How can we prevent XSS attack:
- Using Web Application Firewall (WAF): this is the common practice but easy to bypass since it bases on blacklisting and Regular Expression, which is not easy to fully understand, is used to set the rules for the WAF.
- Escaping/Encoding: the principle is Filter Input, Encode Output. However, some injection points may be overlooked by developers. Frankly, this happens a lot for large websites.
- Content Security Policy (CSP): is a client-side protection. It has the options to disallow inline-scripts and scripts from non-whitelisted domains. Yet, the policy can be too detailed. Some developers also don’t want to give up the powerful of inline-scripts.