Prevent XSS Vulnerabilities with XSS Protection

Prevent XSS Vulnerabilities with XSS Protection
Page content

What is XSS Anyway?

Although many websites are vulnerable to XSS, many people who run these sites are not even aware of what it is. XSS is also known as cross-site scripting. A website that is vulnerable to XSS is one in which any HTML can be placed inside of a query (typically when a browser does an HTTP GET request). This can be used by a malicious hacker to link users to a page in which the query contains some HTML implementing a means to get information they want from any user that clicks on that link. A rough estimate puts about 70% of all websites on the Internet at risk for this kind of exploit.

How do I know if I have an XSS Hole in My Website?

The easiest way to detect an XSS vulnerability is by sending a piece of JavaScript or HTML code through any query on your site. For example, if your website URL for a search query is “_https://www.some-url.com/search.php?term=_", then you can put after it the following string: %3Cscript%3Ealert%28%91There%20is%20an%20XSS%20Vulnerability%20Present%92%29%3C%2Fscript%3E. This is the most effective means of finding XSS holes without knowing too much about how they can be used to compromise your site’s visitors. The string simply adds an alert call in JavaScript that will pop up a little alert telling you “There is an XSS Vulnerability Present”. You will, of course, need to have JavaScript enabled to process this correctly.

What do I do About XSS Vulnerabilities?

If you want to prevent XSS vulnerabilities, you need to parse input in a manner that will not allow any browser-side scripting (HTML, JavaScript, or CSS) in your queries. The best thing to do is make a function that will parse queries and escape them properly. You should escape all JavaScript, CSS, and HTML so that no queries can be made with such code in them. This is the simplest and surefire method of dealing with XSS holes on your site. When you are writing with ASP.NET, you usually do not have much to worry about, since it validates requests to prevent malicious scripts before proceeding with the results that come in accordance to the query.

More Rules of Thumb to Consider

Escaping HTML using entity escaping is right in the ball park of what you should be doing to prevent nasty XSS problems. Here are the best ways to escape your HTML (For best results, seek these out in queries in the order that they are listed):

  • & = & (Always seek these out first, as you might accidentally replace the beginning of an escape with another escape, and so forth, if you do not seek this first)
  • < = <
  • > = >
  • " = "
  • ’ = '
  • / = /

If you follow through with what was suggested, you will probably never have a complaint about XSS vulnerabilities in your website, and you can rest assured that your visitors will be safe.