XSS vulnerabilities and protection

XSS vulnerabilities and protection

Dynamic websites actively work with data received from users. That is, in fact, almost all the information on the site was added there by the users themselves. A good example of such a site is a forum. Any forum for 99.9% consists of information published there by users.
But every time users are presented with any capabilities, you need to be prepared to use those capabilities for other purposes. Thus, forms for publishing content can be used not to send harmless texts, but to infect your site with malicious code.

Filtering data

Any information received from the user must be filtered before being displayed in the template! Filtering means applying a set of rules to this information that will clean up and prepare it for publication on the site. We are filtering information to prevent the appearance of an XSS vulnerability on our website.

XSS vulnerability

XSS is a type of vulnerability that is inherent in web applications.
This attack on the site consists in injecting malicious JS code into the issued page. This becomes possible due to insufficient filtering of data received from the user.

Attack principle

  1. The site has a form for posting a message.
  2. Through this form, the hacker sends JS code instead of plain text.
  3. The message is published on a page that is available to all visitors.
  4. The malicious code is executed for every visitor to this page.
  5. The malicious script harms the site users. For example, it steals their cookies.

Replacing dangerous symbols

The problem is clear. We need to secure the page by filtering out information from the form. But how to filter so as not to lose the text, but at the same time deprive the hacker of the opportunity to harm us?
This is where HTML mnemonics come in handy.
A mnemonic  is a code representation of a character in HTML that begins with an ampersand "&" and ends with a semicolon ";".