At Vodafone we take every precaution to ensure that the data our customers entrust us with is stored safely and securely, giving them peace of mind. As part of this endeavour we employ an independent security firm to regularly analyse our products, allowing us to pre-emptively identify areas where we can strengthen security before they reach the public sphere. We recently looked at a specific type of attack that hackers use to try and steal data, dubbed XSS. Here’s a little explainer of what an XSS attack is and how we protect our products from them…
So, everyone hates an XSS attack amirite?
Ughh tell me about it… what’s XSS?
XSS stands for Cross-Site Scripting and th…
What kind of an acronym is that?
Yeah it’s not the best, but CSS was already taken and apparently you don’t mess with CSS fanboys.
Fair. Sorry, you were saying…
An XSS attack occurs when dark wizards inject malicious scripts into a URL which are then executed on the server when an unsuspecting user makes a request. Such URLs could be disguised as links in phishing emails, for example, and when the scripts run they back to the wizards. The URLs typically look something like this…
https://www.site.com?queryString=</script><script>alert(1)</script>
Tell me more.
Most modern browsers have built-in XSS protection which takes care of these types of attacks for us. However, older or poorly maintained browsers can still be vulnerable, so to be extra safe we can add protection at the root level within our application.
No, tell me more about the wizards…
Your tiny mind wouldn’t be able comprehend them. I can however tell you how to defeat them.
To nullify the threat of XXS attacks you can tell your app to look out for requests containing certain characters, ie. those that surround a <script> tag. Whenever these characters are detected we can replace them with their html equivalents, which prevents the scripts from running. This is known as escaping. In the example below we have a function, where escape is a function which replaces special characters with their respective escape codes.
If we pass this function the object below…
{
keyOne: '<script>download photos</script>',
keyTwo: 'innocent string'
}…it will be manipulated to return the following:
{
keyOne: '%3Cscript%3Edownload%20photos%3C/script%3E',
keyTwo: 'innocent%20string'
}This effectively renders the script useless as it is no longer initiated by a valid tag. And THAT is one way you can help protect your apps from dark forces 👍
Amazing. Are you a wizard too?
…
As well regular security audits to help identify areas where we can improve our products before they come to market, we also run internal workshops to share knowledge of various attack vectors and how to defend against them. This allows us to deliver innovative products that our customers can use, safe in the knowledge that their account is well protected.
Wanna be a wizard too? Why not join us https://careers.vodafone.co.uk/ 🙌
