Threats Stopped - FAQ

XSS attack protection by Astra

xss-protection-for-website-astra-security

Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications.

An XSS attack is of 3 types:

  1. DOM Based Attack: Caused by malicious injection of code from client side. The injected code can be Javascript, Flash, Visual Basic etc.
  2. Persistent XSS Attack: Caused when payload is stored on server side and gets retrieved when there is a user request to a page
  3. Non-Persistent XSS Attack: Caused when payload is reflected back to the user by opening a link to a vulnerable website with a crafted input.

Precautions to Mitigate XSS Attacks

Preventing a XSS attack doesn’t imply disabling users to input their payloads, rather take measures to stop it from being parsed as HTML in the browser. That being said, here are few methodologies which are used to prevent a XSS attack.

 

  1. Input ValidationTo prevent XSS, white-list most input to alphanumeric or in some cases, special characters. This will reduce surface attack and minimize the potential for bugs.
  2. Use of secure DOM elementsOften, unsafe handling of DOM elements (document object model) lead to XSS attacks in even rich client UIs. For example: using the innerHTML attribute renders the user input as XSS with Javascript events. In this case, the safe alternative would be to use contentText or innerText.

More detailed steps can be found here.

 

Was this helpful?