Tower Defense Tip: Cross Site Scripting (XSS)

Let's talk about a common web application attack.

Some of the most common attacks a malicious actor will attempt on web applications are Cross site scripting or (XSS) attacks. The attacker uses a web application to send their malicious code to a different end user to execute. This script can then access that users cookies, session tokens or other browser information.

Defensive Measures:

1. Ensuring that all variables in the application go through validation and are properly escaped or sanitized.

2. Utilizing output encoding - converting untrusted input into a safe form where it is displayed as data that does not execute as code in the browser. Use the respective output encoding method for JavaScript, HTML, URL's, and CSS.

3. HTML Sanitization - Strips dangerous HTML from a variable and instead uses a safe HTML string. A good example of a script to help you sanitize HTML can be found here: https://lnkd.in/e67ppSva

4. Set proper security headers - To prevent XSS in HTTP responses set the Content-Type and X-Content-Type-Options headers.

5. Content Security Policy- A whitelist that prevents malicious content being loaded.

6. Web Application Firewalls - Blocks known attack strings. (WAF's are a good complimentary security measure, however WAF bypass techniques do exist and WAF's will not prevent DOM-Based XSS.