Cyber Security — XSS Defense and Prevention

What Exactly Is XSS?
As simplified by Ahmed and Ali (2016), XSS is short for cross-site scripting and it is the insertion of malicious codes into a website’s pages with the intention of stealing data or facilitating phishing scam. Basically, XSS is a client-targeted attack that requires some serious expertise to mitigate a webpage’s vulnerability. Mitigation processes and techniques rely mostly on the type of scripting attack, which is subdivided into three categories. The first type of cross-site scripting is the Reflected XSS whereby the perpetrator baits a user to enter a malicious JavaScript input (e.g. via the search box).

The second type is the Stored XSS whereby the perpetrator fetches a non-sanitized input from the website’s database. However, the fetched value is a script that still runs from the client’s browser (Wang et al., 2018). The third type is the DOM-based XSS whereby the targeted malicious input from the client is never sent to the database, thus allowing the perpetrator to access the data from the client’s browser.

Preventive Measures & Techniques
As observed by Marashdih and Zaaba (2017), prevention techniques depend on how the perpetrator managed to inject malicious codes or data into a webpage. A great method is the use of Whitelist input to validate a client’s data. This not only makes sure that only trusted data gets in, but it also minimizes JavaScript injects as much as possible. The second recommendation is to make sure that output encoding of data prevents script execution. For instance, it would be advisable to make good use of “&lt” and “&gt” instead of “<” and “>” respectively. Finally, Ahmed and Ali (2016) suggest the need to change output values from HTML to Textual elements. For instance, instead of “inner.html=value” the output should be “inner.text=value” thus making reducing cases of XSS attacks.

References
Ahmed, M., & Ali, F. (2016). Multiple-Path Testing For Cross Site Scripting Using Genetic Algorithms. Journal Of Systems Architecture, 64, 50–62. DOI: 10.1016/j.sysarc.2015.11.001; Retrieved from https://bit.ly/2DZpg6G

Marashdih, A., & Zaaba, Z. (2017). Cross Site Scripting: Removing Approaches in Web Application. Procedia Computer Science, 124, 647–655. DOI: 10.1016/j.procs.2017.12.201; Retrieved from https://bit.ly/2PfbtKq

Wang, R., Xu, G., Zeng, X., Li, X., & Feng, Z. (2018). TT-XSS: A Novel Taint Tracking Based Dynamic Detection Framework For DOM Cross-Site Scripting. Journal Of Parallel And Distributed Computing, 118, 100–106. DOI: 10.1016/j.jpdc.2017.07.006; Retrieved from https://bit.ly/2CswRJv