Across That Site Yonder
BeEF, It’s What’s Taking Pictures of You Through Your Laptop Webcam
Enter The Matrix
Similar to the woman in the red dress, every website is really just a fancy combination of text and angle brackets. That dropdown menu the top of the screen? Text. These words your reading now? You guessed it. If you’ve never peered into the madness, you can right click on this page and select “View Source”. Your browser transforms that mess into the neat columns and formatting and menu options you see before you.
Only You Can Encode Output
Injection has topped the OWASP Top 10 since its inception, the latest of which can be found here. The name Cross-Site Scripting was coined back in 2000 and has continued to be one of the most prevalent vulnerabilities plaguing web applications.
Done right, input sanitation is the best defense against Cross-Site Scripting attacks. Don’t ever trust your users. Treat every input they send to your server as if it carries the plague. Use character whitelists where possible and don’t allow angle brackets (<, >) unless absolutely necessary. OWASP’s XSS Prevention Cheat Sheet can be found here.
While it doesn’t prevent all attacks, HTML Entity Encoding can make it much harder for an attacker to inject code into your application.
Many web application frameworks also include protections against Cross-Site Scripting attacks. If it makes sense for your application, consider using these features, which have likely already been tested and iterated upon.
Web Application Firewalls, or WAFs, have also become more prevalent. These act to block malicious strings sent by the user before they ever reach your servers. WAFs are typically signature based, however, and need to be maintained and updated to be effective. And as like antivirus, no signature list is infallible, and determined attackers can create strings to bypass detection rules. OWASP also provides a Filter Evasion Cheat Sheet.
A number of HTTP headers also provide additional protection from XSS attacks. The Content-Security-Policy header, for example, can provide a whitelist for what domains the browser should be allowed to load scripts from, and with out the Cross-Site part of Cross-Site Scripting, attacks become much harder to realistically pull off.
Like everything in security, never rely on a single technique or technology where possible. Whitelisting characters and encoding output and using HTTP headers are a far stronger solution than any one alone. New attack techniques and vulnerabilities are always coming to light. Well architected security shouldn’t expose your application to a single point of failure.