Skip to content

Latest commit

 

History

History
50 lines (32 loc) · 2.85 KB

module-9.1-cross-site-scripting-and-cross-site-request-forgery.md

File metadata and controls

50 lines (32 loc) · 2.85 KB
Raw

9.1. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS):

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS occurs when a web application includes unvalidated and unescaped user input within its output. This can lead to the execution of arbitrary JavaScript code in the context of a user's browser.

Example of Reflected XSS:

Let's consider a simple search application. The application takes user input to search for products and displays the results on the page. An attacker inputs malicious JavaScript code as a search query. When a user searches for a product, the malicious code gets executed in their browser.

Search: <input type="text" name="search" value="<script>alert('XSS Attack')</script>">
<button type="submit">Search</button>

If the application doesn't properly sanitize and validate user input, the script within the value attribute can execute, showing an alert with "XSS Attack."

Cross-Site Request Forgery (CSRF):

Cross-Site Request Forgery (CSRF) is an attack that tricks the user into executing malicious actions on a website where the user is authenticated. It occurs when an attacker forges a request to a different site on which the user is authenticated. If the user is tricked into making a request to the target site, the attacker's malicious action gets executed.

Example of CSRF:

Imagine a banking website where users can change their email addresses. The website allows the user to change their email when they visit the following URL:

https://example-bank.com/account/change-email?newEmail=attacker@example.com

An attacker sends an email to the user with a hidden image:

<img src="https://example-bank.com/account/change-email?newEmail=attacker@example.com" alt="Click me">

If the user opens the email and views the image, the request to change their email is made without their knowledge. This could lead to unauthorized changes in their account settings.

Mitigation and Best Practices:

  1. XSS Prevention:

    • Validate and sanitize user inputs.
    • Use Content Security Policy (CSP) headers to control which scripts are allowed to execute.
    • Escape output by encoding special characters to prevent script injection.

  2. CSRF Prevention:

    • Implement anti-CSRF tokens to ensure that requests originate from your site.
    • Use the SameSite attribute for cookies to prevent cross-origin requests.
    • Ensure that state-changing requests (e.g., updating user information) require authentication or confirmation.

Understanding and implementing security measures against XSS and CSRF attacks is crucial to protect your web applications and users' data. These vulnerabilities can have severe consequences, making them a top priority for web developers.