Common Web Attacks
TOC
Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
-- OWASP
As state by OWASP definition, XSS takes place when malicious code is injected. Thus, rule of thumb to prevent XSS is : NEVER TRUST USER INPUTS.
Types of XSS
XSS attacks can generally be categorized into three categories: reflected, stored and DOM-based, while first two are more common.
Reflected XSS (Non-persistent / Type-I):
This is the most common type of XSS attack, where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
Stored XSS (Persistent / Type-II):
This type of XSS occurs when the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.
Dom-Based XSS (Type-0):
This type of XSS is less known, where the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner
| Type | Persistent | Flaw Location | Examples |
|---|---|---|---|
| Reflected | ❌ | Server | Including malicious script in get request url parameters |
| Stored | ✅ | Server | Inject malicious script in comment fields and sent back to database, triggered when user loads webpage |
| Dom-Based | ❌ | Client (Browser) | Client-side scripts write data provided by the user to the DOM |
How to prevent ?
While major frameworks (such as React) does provide XSS prevention by default, they still might be vulnerability and building a mindset of preventing XSS is still beneficial.
Multiple preventions are available to prevent XSS, but it can hardly be solved by any single prevention techniques. Thus, having a deep understand of where inputs are accepted and how they are used in the application, then combine multiple techniques accordingly might be the best practice.
Output Encoding
- Do not trust user inputs. Whenever user input might be used to display on the UI, always consider encoding the input string to avoid XSS.
HTML Sanitization
Content Security Policy (CSP)
Refer to CSP note.
Trusted Types
- Trusted Types API is a browser API that gives web developers a way to lock down the insecure parts of the DOM API to prevent XSS attacks.
Third-Party Libraries
Recommend Readings
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
-- OWASP
How to prevent ?
CSRF TokenSameSite CookiesReferer-based validation