Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10
Lecture – 15
Web Security (XSS)
Information Security (CSNC3413) Course Instructor: Annas W. Malik Web Security • Web security refers to the set of practices, measures, and technologies designed to protect websites, web applications, web services, and web users from various online threats, vulnerabilities, and unauthorized access. It encompasses a range of strategies aimed at ensuring the confidentiality, integrity, and availability of web-based systems and the data they handle. Aspects of Web Security • Protection from Malicious Attacks • Data Confidentiality • Data Integrity • Authentication and Authorization • Secure Development Practices • Security Compliance and Standards • Incident Response and Recovery • Continuous Monitoring and Improvement XSS (Cross-Site Scripting) • Cross-Site Scripting (XSS) is a type of security vulnerability commonly found in web applications. It occurs when attackers inject malicious scripts (usually in the form of JavaScript) into web pages viewed by other users. This injection can happen through input fields, URL parameters, or other parts of a web application that accept and display user input without proper validation or sanitization. XSS (Cross-Site Scripting) Types of XSS Attacks • There are three main types of XSS attacks: • Stored XSS: Malicious scripts are stored on the server and displayed to users who access the affected page. • Reflected XSS: Malicious scripts are injected into a URL and then reflected off the web server to the victim's browser. • DOM-based XSS: Malicious scripts manipulate the Document Object Model (DOM) in a user's browser after the page has loaded. Mitigating XSS Attacks • Input Validation: Validate and sanitize all user inputs, ensuring that they match expected formats and don't contain potentially harmful code. • Output Encoding: Encode user-generated content before displaying it on web pages. This involves converting special characters to their HTML entities, preventing browsers from interpreting them as code. • Content Security Policy (CSP): Implement CSP headers to define the sources from which various types of content can be loaded, reducing the risk of XSS by specifying approved sources for scripts, stylesheets, etc. • HTTPOnly and Secure Cookies: Use the HttpOnly attribute to prevent client- side scripts from accessing sensitive cookies and the Secure attribute to ensure cookies are only sent over HTTPS connections. Mitigating XSS Attacks • Sanitization Libraries: Utilize security-focused libraries that automatically sanitize inputs and prevent XSS vulnerabilities. • Regular Security Audits: Conduct frequent security audits and penetration testing to identify and address vulnerabilities in the application. Note: “Education and awareness among developers and users also play a crucial role in preventing XSS attacks. Developers should be trained to write secure code and avoid common pitfalls, while users should be educated about the risks of interacting with untrusted websites.”