XSS Prevention Cheat Sheet for Penetration Testers

XSS is one of the Deadliest Attacks the hackers do on a web application . XSS also known as Cross Site Scripting , is an attack where the attacker injects a malicious script to perform a malicious action on trusted websites . This Malicious script executes on the browser , and affects the visiting user .

XSS is quiet prevalent in the websites where the user input is not encoded or escaped .

Cross Site Scripting (XSS) is of 3 Types : 

1. Stored XSS
2. Reflected XSS
3. DOM Based XSS

For more info on XSS please refer to this Link .

XSS Prevention Cheat Sheet

XSS is best prevented while coding an Application . Here are some Prevention techniques for XSS :

• Escape all user Input and Output .
• Escape All Special Characters .
• Internet Explorer has an Attribute HTTP-Only that can be set for the cookies to prevent stealing of of cookies and avoids access to cookies by any script . This is Output Validation instead of input Validation .
• Escape all untrusted data based on the Body ,  Attribute , Javascript , CSS and URL . 
• White-List input validation is an excellent strategy for the prevention of XSS . Here we define a list of Allowed input by the user . Any input which is not as per the allowed white-list (which is just the allowed regular expressions) is not taken as an input and simply rejected .
• Use of OWASP Auto-Sanitization library is highly recommended .
•  To prevent XSS also use Anti-Sammy or Java HTML Sanitizer Project (also from OWASP)
• Use OWASP Content Security Policy .
• Output Validation is a must thing . Otherwise without proper escaping or validation it will be treated as an active content by the browser.
• Build a good XSS Filter .

Building A Good XSS Filter

Keep in mind that no perfect XSS Filter can be made . XSS filter is just an added layer of protection . XSS filter will help to make our Application protected from vague attacks and script kiddies .

Basic Rules For XSS Filter 

• Encode every data given by the user .
• If the data is not via user and arrives by a GET request , encode this data too .
• The Following data must be properly sanitized .
  1. URL
  2. HTTP Referrer Objects : HTTP Header Field that defines the address of the webpage associated with the resource requested .
  3. GET Parameters from a Form .
  4. POST Parameters from a Form .
  5. Windows.location : Javascript Object that can be used to get the address of the current webpage and also can be used to redirect to another web page .
  6. Doccument.Referrer : Returns the URL of the Document that loaded the current document .
  7. Document.Location : Contains the information about the current URL .
  8. Document.URL
  9. Document.URLENCODED
  10. Cookie Data
  11. All Headers Data
  12. DATABASE Data
• Encode all <,>,”,’

& -> &
<  -> <
>  -> >

• Use of OPEN SOURCE LIBRARIES To prevent XSS :
  1. PHP AntiXSS : Automatically detects encoding of data that must be filtered .
  2. XSS_Clean.php filter : Cleans URF Encodings and Nested Exploits .(available on Github)
  3.  HTML Purifier : HTML library written in PHP  .This will remove any malicious code from the Input . Also available as a plugin in most Php Frameworks .
  4. XSS Protect : This Library works by creating an HTML Tag Tree of the Webpage  . This will parse all the HTML Webpage and Match all the Tags . After that it will filter interface and will filter any improper HTML Attributes .
  5. XSS HTML Filter  : This is an XSS filter for JAVA .