Belgutei

There are 3 main types of Cross-site Scripting (XSS) attacks

reflected
- has social engineering aspect
restored
- stored in db
dom based

Prevention

Sanitize the input provided by the user - Dom Purify gihtub

XSS vs Server side attacks

xss: the main impacts are on the clients. JS-injection on the browser. The attacker can act as a user
Server side - responsibility on the developers.

Defence in depth in XSS.

Also, the browsers take measurements against xss attacks to protect the users. We could even prevent from executing any javascript on the browser. But, the web application could require some javascript to function. Then, we can specify specific javascript that could be executed on the browser. To achieve that, we can set http header.

Content-Security Policy (CSP)

Mozilla develop guide on CSP

Content-Security-Policy: script-src 'none'
- with this http response header, the browser wouldn't execute in javascript at all (very strict rule).
Content-Security-Policy: script-src 'self' https://example.com
- allow to execute javascript from the same origin
  - vulnerable to stored xss
- allow to execute script from example.com
unsafe-inline: executes inline script tag
- if the response specified CSP, without unsafe-inline <script>alert(1)</script> wouldn't be executed on the browser
script-src 'sha256-abcdef123456
- allow to execute scripts that the hash value matches to CSP hash value
- <script integrity='sha256-abcdef'>: it is optional to provide integrity/hash value in the script tag
nonce-radomvalue in CSP header
- to generate using secrets library
- import secrets
- secrets.token_hex(40)
- then in scripts tag <script src="some-script.js" nonce="randomvalue">
Content Delivery Network (CDN)

http header to allow the browser to make fetch requests to only certain pre-determined endpoints.

Cross-Site Request Forgery (CSRF)

sending a request from a malicious site to target site from the victim's browser
- victim has to open the malicious site on the browser to succeed

There are 3 main types of Cross-site Scripting (XSS) attacks

reflected
- has social engineering aspect
restored
- stored in db
dom based

Prevention

Sanitize the input provided by the user - Dom Purify gihtub

XSS vs Server side attacks

xss: the main impacts are on the clients. JS-injection on the browser. The attacker can act as a user
Server side - responsibility on the developers.

Defence in depth in XSS.

Content-Security Policy (CSP)

Mozilla develop guide on CSP

Content-Security-Policy: script-src 'none'
- with this http response header, the browser wouldn't execute in javascript at all (very strict rule).
Content-Security-Policy: script-src 'self' https://example.com
- allow to execute javascript from the same origin
  - vulnerable to stored xss
- allow to execute script from example.com
unsafe-inline: executes inline script tag
- if the response specified CSP, without unsafe-inline <script>alert(1)</script> wouldn't be executed on the browser
script-src 'sha256-abcdef123456
- allow to execute scripts that the hash value matches to CSP hash value
- <script integrity='sha256-abcdef'>: it is optional to provide integrity/hash value in the script tag
nonce-radomvalue in CSP header
- to generate using secrets library
- import secrets
- secrets.token_hex(40)
- then in scripts tag <script src="some-script.js" nonce="randomvalue">
Content Delivery Network (CDN)

http header to allow the browser to make fetch requests to only certain pre-determined endpoints.

Cross-Site Request Forgery (CSRF)

sending a request from a malicious site to target site from the victim's browser
- victim has to open the malicious site on the browser to succeed

Prevention

XSS vs Server side attacks

Defence in depth in XSS.

Content-Security Policy (CSP)

Cross-Origin-Resource-Sharing (CORS)

Cross-Site Request Forgery (CSRF)

Prevention

XSS vs Server side attacks

Defence in depth in XSS.

Content-Security Policy (CSP)

Cross-Origin-Resource-Sharing (CORS)

Cross-Site Request Forgery (CSRF)