~/Belgutei
~/Blogs
~/Courses
Cross Site Scripting
2025-04-07
Table of Contents
PreventionXSS vs Server side attacksDefence in depth in XSS.Content-Security Policy (CSP)Cross-Origin-Resource-Sharing (CORS)Cross-Site Request Forgery (CSRF)
Tags
UNSWCOMP6843

There are 3 main types of Cross-site Scripting (XSS) attacks

  • reflected
    • has social engineering aspect
  • restored
    • stored in db
  • dom based

Prevention

Sanitize the input provided by the user - Dom Purify gihtub

XSS vs Server side attacks

  • xss: the main impacts are on the clients. JS-injection on the browser. The attacker can act as a user
  • Server side - responsibility on the developers.

Defence in depth in XSS.

Also, the browsers take measurements against xss attacks to protect the users. We could even prevent from executing any javascript on the browser. But, the web application could require some javascript to function. Then, we can specify specific javascript that could be executed on the browser. To achieve that, we can set http header.

Content-Security Policy (CSP)

Mozilla develop guide on CSP

  • Content-Security-Policy: script-src 'none'
    • with this http response header, the browser wouldn't execute in javascript at all (very strict rule).
  • Content-Security-Policy: script-src 'self' https://example.com
    • allow to execute javascript from the same origin
      • vulnerable to stored xss
    • allow to execute script from example.com
  • unsafe-inline: executes inline script tag
    • if the response specified CSP, without unsafe-inline <script>alert(1)</script> wouldn't be executed on the browser
  • script-src 'sha256-abcdef123456
    • allow to execute scripts that the hash value matches to CSP hash value
    • <script integrity='sha256-abcdef'>: it is optional to provide integrity/hash value in the script tag
  • nonce-radomvalue in CSP header
    • to generate using secrets library
    • import secrets
    • secrets.token_hex(40)
    • then in scripts tag <script src="some-script.js" nonce="randomvalue">
  • Content Delivery Network (CDN)

Cross-Origin-Resource-Sharing (CORS)

  • http header to allow the browser to make fetch requests to only certain pre-determined endpoints.

Cross-Site Request Forgery (CSRF)

  • sending a request from a malicious site to target site from the victim's browser
    • victim has to open the malicious site on the browser to succeed
© 2024 Belgutei. All rights reserved