- security • c
c
- performance • dsdf
sdfsdf
- security • revali?
sdf
- html • why?
sdf
- performance • test4
test4
- security • What is XSS and how can i prevent it?
What is XSS attack? The xss occurs when an attacker is able to inject malicious scripts into web pages viewed by users. theses malicious sciprts are then executed in the context of the user's browser, allowing the attacker to perform malicious actions, steal sensitive information, or deface websites. Types of XSS attacks 1. Stored XSS The attacker injects malicious scripts into application's DB. These scripts are then retrived and displayed to other users who visit the page. (inject script) const comment = "<script>alert('XSS attack!');</script>"; saveCommentToDatabase(comment); (result) //comment section <div> <script> alert('XSS attack!'); </script> </div> 2. Reflected XSS The malicious script is reflected off the web server, such as in an error message or search result. Attacker typically tricks the user into clicking on a specially crafted link that contains the malicious script. (example) http://example.com/path?name=</div><script>alert('XSS')</script><div> When user click the link above, the server will serve html that contain malicious script. 3. DOM based XSS Unlike previous cases, DOM based XSS execute malicious script as a result of modifying the DOM 'environment' in the browser used by the client side. The difference between Reflected XSS is that the Reflected XSS create and return a content that malicious script is included in the server. (example) http://example.com/path#<script>alert('XSS')</script> How can i prevent XSS? 1. Sanitization validate and sanitize all user input on the server side using library or frameworks like 'sanitize-html' before processing or display it. 2. Encoding encode all user-controlled data before it rendered in the browser to prevent malicious script execution. 3. Content Security Policy(CSP) utilize CSP to restrict the sources from which scripts can be loaded, thereby preventing the execution of unauthorized scripts even if they ar injected into the page. 4. Secure Javascript Development be cautious when dynamically updating the DOM with untrusted data. Avoid using 'innerHTML'(use innerText) and 'eval' functions with user-generated content.