Lecture – 15

Web Security (XSS)

Information Security (CSNC3413)
Course Instructor: Annas W. Malik
Web Security
• Web security refers to the set of practices, measures, and
technologies designed to protect websites, web applications, web
services, and web users from various online threats, vulnerabilities,
and unauthorized access. It encompasses a range of strategies aimed
at ensuring the confidentiality, integrity, and availability of web-based
systems and the data they handle.
Aspects of Web Security
• Protection from Malicious Attacks
• Data Confidentiality
• Data Integrity
• Authentication and Authorization
• Secure Development Practices
• Security Compliance and Standards
• Incident Response and Recovery
• Continuous Monitoring and Improvement
XSS (Cross-Site Scripting)
• Cross-Site Scripting (XSS) is a type of security vulnerability commonly
found in web applications. It occurs when attackers inject malicious
scripts (usually in the form of JavaScript) into web pages viewed by
other users. This injection can happen through input fields, URL
parameters, or other parts of a web application that accept and
display user input without proper validation or sanitization.
XSS (Cross-Site Scripting)
Types of XSS Attacks
• There are three main types of XSS attacks:
• Stored XSS: Malicious scripts are stored on the server and displayed to users
who access the affected page.
• Reflected XSS: Malicious scripts are injected into a URL and then reflected off
the web server to the victim's browser.
• DOM-based XSS: Malicious scripts manipulate the Document Object Model
(DOM) in a user's browser after the page has loaded.
Mitigating XSS Attacks
• Input Validation: Validate and sanitize all user inputs, ensuring that they
match expected formats and don't contain potentially harmful code.
• Output Encoding: Encode user-generated content before displaying it on
web pages. This involves converting special characters to their HTML
entities, preventing browsers from interpreting them as code.
• Content Security Policy (CSP): Implement CSP headers to define the sources
from which various types of content can be loaded, reducing the risk of XSS
by specifying approved sources for scripts, stylesheets, etc.
• HTTPOnly and Secure Cookies: Use the HttpOnly attribute to prevent client-
side scripts from accessing sensitive cookies and the Secure attribute to
ensure cookies are only sent over HTTPS connections.
Mitigating XSS Attacks
• Sanitization Libraries: Utilize security-focused libraries that
automatically sanitize inputs and prevent XSS vulnerabilities.
• Regular Security Audits: Conduct frequent security audits and
penetration testing to identify and address vulnerabilities in the
application.
Note: “Education and awareness among developers and users also play
a crucial role in preventing XSS attacks. Developers should be trained to
write secure code and avoid common pitfalls, while users should be
educated about the risks of interacting with untrusted websites.”