XSS and CSRF Attacks – How to Prevent Them
Two of the most common types of web-based attacks are XSS and CSRF.
As per NVD and CVE, in 2018, 2.69% of all new vulnerabilities were classified as CSRF. And more than 60% of web apps are suspected of XSS attacks, according to the Virginia Journal of Science, Volume 40, Issue 3, Fall 2019.
XSS and CSRF attacks can lead to financial loss, data breaches, and more security issues for your business.
This guide covers everything about XSS and CSRF, including how your business can prevent them.
Understanding XSS
Here’s everything you need to know about XSS:
What’s XSS
Also known as Cross-site scripting, XSS is a web security vulnerability caused by unvalidated or unencoded user inputs. This means the developer didn’t give attention to the user input filter and more importantly the output encoding.
Because most web application do some kind of dynamic processing with user inputted string, it is important that those strings are validated (to not contain malicious injection attacks) when the user enters them and most importantly outputed using the correct encoding so that the string gets rendered as a string literal instead of actual markup. Outputing values without the correct encoding allows the attacker to compromise user interactions with a vulnerable app, because this XSS is giving a way for the attacker to directly send input such as a <script> tag that will be processed by the end user.
Note: A user’s web browser follows the same-origin policy to ensure that websites that don’t have the same domain name and protocol can’t interact with and access each other’s data.
The biggest threat of XSS is that the attacker can use a script tag to steal cookies, and if the application does not properly set the HTTPOnly flag on the cookie that they use to manage sessions or authentication, then that cookie can be stolen and used by the attacker to take control of an account.
How XSS Works
Here’s the rundown of a typical XSS attack:
1. An attacker finds a website that accepts user inputs and does not properly sanitize or output encode that user input.
2. The attacker finds a way to send a payload (malicious code, some encoded script that performs the actions that the attacker wants) to the targeted user via a phishing link.
3. The user is redirected to the vulnerable web page, and the web browser ouputs the payload, and because it was not properly encoded, that payload is now part of the markup and will execute the actions the attacker wants.
Common uses of XSS
A bad actor who exploits the XSS vulnerability in a website can perform the following:
- Impersonate the compromised user, by stealing cookies
- Inject trojan functions to the website
- Steal the user credentials
- Read and save the data that’s available to the user
- Deface the website
Understanding CSRF
Here’s everything you need to know about CSRF:
What’s CSRF
Cross-site request forgery or CSRF vulnerability allows a hacker to execute unwanted actions on behalf of a logged-in user. The bad actor takes advantage of the trust between the website and the user.
CSRF is also known as:
- XSRF
- Session Riding
- Hostile Linking
Like XSS, CSRF partly finds a way around the browser’s built-in protections. Then, the attacker will utilize the logged-in user session to carry out unwanted activities.
How CSRF Works
By default an HTTP form POST is accepted from any domain. That means an attacker could mimic or forge a form submission on their malicious site that actually gets sent to a vulnerable site that the user is already logged into. These requests could be a request to delete data, change a password, or send funds. If the attacker can figure out what all the fields and a parameters of this request is a head of time, then they can mimic that request on their own malicious site and try to trick users into interacting with that forged request. The big problem is that forged request will automatically include the authentication cookies so that the vulnerable site thinks the user is the one making the request and that they meant to make this forged action.
No unpredictable request parameters
The request must not include any parameters the attacker must guess or determine. For instance, on a password change request, the function should not contain the need to provide the existing password.
Common uses of CSRF
A CSRF vulnerability can allow the bad party to conduct the following:
- Request state-changing requests like password/username change
- Do everything on behalf of the user
- Make purchases, send money, etc.
- Fully blow the website if the user has admin privileges
How to Prevent XSS Attacks
The following measures will help your business prevent XSS Attacks:
Filter Input When it Arrives
Never trust any input from users. Treat them as unvalidated and risky.
Design a security filter that automatically detects and eliminates harmful keywords from user input. And only then execute it on your end.
Use Encoding on Output Data
Where the user-controllable data is outputted in HTTP responses, encode it so your website doesn’t treat it as active content.
Depending on where the user data is not actively used, you can apply a combination of HTML, CSS, JavaScript, and URL encoding.
Make Use of Appropriate Cookie Attributes
To avoid XSS and CRSF access to user cookies, set the proper SameSite, Secure, and HTTPOnly attributes.
Use CSP
The last way is to use CSP (Content Security Policy) – a web browser-side mechanism that lets your website whitelist the trusted sources in HTTP headers. With CSP, your website can limit access to the permitted content.
How to Prevent CSRF Attacks
Use the following techniques to prevent CSRF attacks:
Token-Based Prevention – CSRF Tokens
Also known as a synchronizer or anti-CSRF token, it’s a unique, secret, and unpredictable value. It’s embedded in a state-changing action by the server-side app for the client.
When performing a sensitive action, the client must provide the CSRF token. If it’s not similar to the one provided by the server, the verification is declined.
Double-Submit Cookies
This approach provides a value that stores as a cookie on the user’s device – apart from the one that serves as a session identifier.
When a request is submitted to the site by the legit user, the second cookie must have the same initial value. Then, the server verifies it and provides further access.
Same-Site Cookies
A Same-Site cookie only relies on sending the cookie if the request originates from the original website.
Same-Site is a browser security mechanism that identifies the origin of the original requests. Then, it only sends the cookies to the original site, preventing the attacker from taking advantage of the cross-site actions.
Referer-Based Validation
Lastly, some apps use the HTTP Referer header to verify whether the request originated from the app’s own system.
Mitigating XSS and CSRF Attacks with Vault Vision
At Vault Vision, we provide businesses with easy, fast, and secure user authentication solutions worldwide.
Our ultra-secure authentication products help your business mitigate XSS and CSRF attacks. We provide protection by the following:
- CSRF tokens
- Strict CSP policy
- No dynamic server rendering
- No use of innerHTML in Javascript
- Strict adherance to proper output encoding
- cookies set with HTTPOnly, Secure flags
- Zero 3rd party scripts
Final Words
XSS and CSRF attacks are severe. And if you don’t take them seriously, they can attack and compromise the trust between you and your customers. Also leading to security breaches, financial loss, and more.
Trust Vault Vision to help cover your business with ultra-secure authentication solutions. Our products follow industry-standard XSS and CSRF techniques to provide top-notch prevention.
Book a free trial today at Vault Vision or go Professional for just $25 per month. And if you are interested in the Enterprise plan, contact us today!
https://portswigger.net/web-security/csrf
https://www.geeksforgeeks.org/how-to-reduce-risk-of-exposure-to-csrf-xsrf-or-xss-attacks/
https://portswigger.net/web-security/cross-site-scripting
https://www.networkworld.com/article/3190444/how-to-protect-against-cross-site-request-forgery-attacks.html https://portswigger.net/web-security/csrf/xss-vs-csrf
