XSS

Cross-Site Scripting (also referred to as Cross-Server Scripting or Cross-Service Scripting, commonly abbreviated XSS) is now a well-known and well-documented attack on Server resources through Web Applications and dynamic websites that use Server-Side code to create rich experiences on the web.

EXAMPLES

Excellent example of companies which have consistently had to plug XSS and other security vulnerabilities are Google^[1] and Microsoft^[2].

XSS

XSS attacks are broadly classified into 2 types:

1. Non-Persistent
2. Persistent

• wikipedia: Cross-site_scripting
• XSS (Cross Site Scripting) Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html | SRC
• XSS Filter Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• DOM based XSS Prevention Cheat Sheet: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

^{[3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]}

CSRF

Cross-Site Request Forgery (CSRF), also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

• wikipedia: Cross-site request forgery
• Cross-Site Request Forgery (CSRF): https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
• Cross Site Request Forgery: http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20Forgery
• Cross-Site Request Forgery - Demystified: http://halls-of-valhalla.org/beta/articles/cross-site-request-forgery-demystified,47/
• Cross-Site Request Forgery explained: https://dzone.com/articles/cross-site-request-forgery

^{[16] [17] [18] [19]}

Tools

• Burp Suite - Web App Security: https://portswigger.net/
• CSRF Guard: https://www.owasp.org/index.php/CSRF_Guard
• CSRF Tester: https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project
• CSP Evaluator: http://csp-evaluator.withgoogle.com/^[20][21]

Resources

• OWASP - CSRF Prevention cheatsheet: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
• OWASP - XSS Prevention cheatsheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet^[22]
• DOM based XSS Prevention Cheat Sheet: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
• Cross-site Scripting (XSS) -- Attack vectors (examples by HTML tag): https://www.acunetix.com/websitesecurity/cross-site-scripting/
• Hacker's Guide to XSS: http://hakipedia.com/index.php/Cross_Site_Scripting
• The Cross-Site Request Forgery (CSRF/XSRF) FAQ: http://www.cgisecurity.com/csrf-faq.html
• Apache Server advisory - "Cross Site Scripting Info: Encoding Examples": http://httpd.apache.org/info/css-security/encoding_examples.html
• Java HTML Sanitizer project: https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
• HTMLPurifier PHP lib: http://htmlpurifier.org | DEMO
• CAPEC-86 -- XSS Through HTTP Headers: http://capec.mitre.org/data/definitions/86.html
• Here Is The Javascript Code For The Harlem Shake On Websites: https://javascriptcodeforharlemshake.blogspot.com | DEMO^{[23][24][25][26][27]}

Tutorials

• How to prevent cross-site scripting security issues: http://support.microsoft.com/kb/252985
• IBM on protecting against Cross-Site Scripting attacks: http://www.ibm.com/developerworks/tivoli/library/s-csscript/
• HTML Code Injection and Cross-site scripting -- Understanding the cause and effect of XSS Vulnerabilities: http://www.technicalinfo.net/papers/CSS.html
• Cross-Site Scripting in HTTP Headers: https://dzone.com/articles/cross-site-scripting-in-http-headers
• Prevent XSS exploit in Java, JSF, JSP, etc: http://www.rgagnon.com/javadetails/java-0627.html
• How to sanitize HTML code in Java to prevent XSS attacks?: https://stackoverflow.com/questions/3413297/how-to-sanitize-html-code-in-java-to-prevent-xss-attacks
• Java - Remove HTML tags from a String: https://stackoverflow.com/questions/240546/remove-html-tags-from-a-string
• Remove HTML tags from String in Java (basic RegEx replace example): https://www.javacodeexamples.com/remove-html-tags-from-string-in-java-example/753
• Preventing CSRF in Java web apps: http://ricardozuasti.com/2012/preventing-csrf-in-java-web-apps/
• Spring Security Cross-site Scripting prevention: https://defensivecode.wordpress.com/2013/09/03/spring-security-xss/
• New in Spring MVC 3.1: CSRF Protection using RequestDataValueProcessor: http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
• Cross-Site Scripting (XSS) Attack Remediation : https://dzone.com/articles/cross-site-scripting-xss-attack-remediation
• JavaScript - Remove HTML Tags From String To Prevent XSS Attacks: https://www.cssscript.com/remove-html-tags-prevent-xss/
• Is XSS possible with jQuery(location.hash)?: https://security.stackexchange.com/questions/177261/is-xss-possible-with-jquerylocation-hash
• Address DOM XSS: https://medium.com/@a.pranaykumar01/address-dom-xss-b21515db0562
• JavaScript written only with brackets?: https://security.stackexchange.com/questions/8263/javascript-written-only-with-brackets
• Dynamic Languages Strike Back: http://steve-yegge.blogspot.com/2008/05/dynamic-languages-strike-back.html
• JSLint -- eval is evil: http://linterrors.com/js/eval-is-evil

^{[28] [29] [30] [31] [32]}

• Where can I find ESAPI.properties?: https://stackoverflow.com/questions/29270573/where-can-i-find-esapi-properties/29519092

^{[33] [34]}

External Links

• wikipedia: Cross-site request forgery
• wikipedia: Cross-site scripting
• wikipedia: HTML sanitization
• wikipedia: List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML
• PHP functions for preventing XSS: http://security.stackexchange.com/questions/8798/php-functions-for-preventing-xss
• Google's cookie crumbles under scripting attack: http://www.theregister.co.uk/2008/04/15/google_spreadsheet_bug/
• Google XSS: http://xs-sniper.com/blog/2008/04/14/google-xss/
• XSS vulnerability explained by video: http://www.virtualforge.de/vmovie/xss_selling_platform_v1.0.php (all libs http://www.virtualforge.de/vmovie.php)
• McAfee CSRF guide: http://www.mcafee.com/us/resources/white-papers/wp-csrf-attack-defense.pdf
• CASE STUDY -- Over 99 percent of About.com links vulnerable to XSS, XFS iframe attack: http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
• Universal XSS flaw in fully patched Microsoft Internet Explorer exposed: http://www.zdnet.com/article/severe-xss-flaw-in-fully-patched-microsoft-internet-explorer-discovered/
• This is why you sanitize user input -- Twitch Chat hacked live by XSS/HTML code injection, hilarity ensues: https://www.youtube.com/watch?v=2GtbY1XWGlQ
• Java Code Examples for org.owasp.esapi.ESAPI: https://www.programcreek.com/java-api-examples/?api=org.owasp.esapi.ESAPI
• Using ESAPI to fix XSS in your Java code : https://www.computerweekly.com/tip/Using-ESAPI-to-fix-XSS-in-your-Java-code

References

1. ↑ Infamous XSS Security Researcher Billy Rios pokes another flaw with Google Application: http://www.theregister.co.uk/2008/04/15/google_spreadsheet_bug/
2. ↑ Microsoft's Hotmail Security compromised: http://www.usatoday.com/tech/news/2001-08-31-hotmail-security-side.htm
3. ↑ Stronger Anti Cross-Site Scripting (XSS) Filter for Java Web Apps : https://dzone.com/articles/stronger-anti-cross-site
4. ↑ Cross Site Scripting (XSS) Attack Tutorial with Examples, Types & Prevention: https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/
5. ↑ XSS attack examples: http://www.thegeekstuff.com/2012/02/xss-attack-examples/
6. ↑ XSS Prevention Cheat Sheet for Penetration Testers: https://www.hackingloops.com/xss-prevention-cheat-sheet-for-penetration-testers/
7. ↑ Java Best Practices to Prevent Cross Site Scripting: https://stackoverflow.com/questions/1159729/java-best-practices-to-prevent-cross-site-scripting
8. ↑ XSS prevention in JSP/Servlet web application: https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application
9. ↑ Javascript XSS Prevention: https://stackoverflow.com/questions/12799539/javascript-xss-prevention
10. ↑ How to prevent XSS: https://portswigger.net/web-security/cross-site-scripting/preventing
11. ↑ Stripping Dangerous Tags and Javascript from HTML: https://www.oreilly.com/library/view/python-cookbook/0596001673/ch11s07.html
12. ↑ How to sanitize HTML with JavaScript: https://remarkablemark.org/blog/2019/11/29/javascript-sanitize-html/
13. ↑ Strip HTML Tags in JavaScript: https://css-tricks.com/snippets/javascript/strip-html-tags-in-javascript/
14. ↑ How to strip HTML tags from string in JavaScript?: https://stackoverflow.com/questions/5002111/how-to-strip-html-tags-from-string-in-javascript
15. ↑ W3schools -- HTML DOM Events: https://www.w3schools.com/jsref/dom_obj_event.asp (events as attributes should be skipped/removed/stripped/disallowed/ignroed)
16. ↑ Complete Guide to Cross-Site Request Forgery (CSRF/XSRF): https://reflectoring.io/complete-guide-to-csrf/
17. ↑ 3 Hurdles to Getting CSRF Protection Correct: http://blog.coverity.com/2014/04/29/3-hurdles-getting-csrf-protection-correct/
18. ↑ CSRF Protection in Slim 3 PHP Framework: http://dzone.com/articles/csrf-protection-in-slim-3-php-framework
19. ↑ CSRF exploits -- That single GraphQL issue that you keep missing: https://blog.doyensec.com/2021/05/20/graphql-csrf.html
20. ↑ Reshaping web defenses with strict Content Security Policy: http://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html
21. ↑ Google tackles XSS scripting flaws with new developer tools: http://www.zdnet.com/article/google-tackles-xss-scripting-flaws-with-new-developer-tools/
22. ↑ XSS Filter Evasion Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
23. ↑ HarlemShake on major Banking/Financial websites: https://www.youtube.com/watch?v=OldCbJVBgyo
24. ↑ CSS3/jQuery Harlem shake: https://github.com/Elfoslav/harlem-shake
25. ↑ harlem-shake.js: https://gist.github.com/jonathantneal/656b23d080994df1587f770f61d88c77
26. ↑ Do `Harlem Shake` on any websites!: https://licson.net/post/do-harlem-shake-on-any-websites/
27. ↑ How To - Shake an Image: https://www.w3schools.com/howto/howto_css_shake_image.asp
28. ↑ Don't be eval(): https://24ways.org/2005/dont-be-eval
29. ↑ Is eval evil? Just In Time (JIT) compiling: https://wanago.io/2018/11/19/how-does-eval-work-and-how-is-it-evil-javascript-eval/
30. ↑ eval() isn’t evil, just misunderstood: https://humanwhocodes.com/blog/2013/06/25/eval-isnt-evil-just-misunderstood/
31. ↑ eval is not Evil: https://www.stevefenton.co.uk/2017/10/eval-not-evil/
32. ↑ Eval is Evil, But Not Why You May Think: https://medium.com/mail-online/eval-is-evil-but-not-why-you-may-think-25961f9b01bb
33. ↑ Correct location for ESAPI.properties under web project: https://stackoverflow.com/questions/29842208/correct-location-for-esapi-properties-under-web-project
34. ↑ ESAPI Configuration in AEM: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/esapi-configuration-in-aem/qaq-p/308774

See Also

AJAX | Browser | Security