Skip main navigation

Mitigation

In this video, Paulo Silva will explain how to mitigate threats associated with XSS vulnerabilities, and assess the system protocols.
6.1
Welcome to the third and last part of Cross-Site Scripting session. In this part, we will discuss cross-site scripting mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing this session, we will discuss how to avoid such vulnerabilities. Applications tend to accept data from external sources, either user input or integrated third party services. If such data is included in HTML responses without proper validation and escaping, then the application might be vulnerable. If you’re using JavaScript frameworks, or you have a single page application which uses unsafe JavaScript APIs to append attackers controllable data to the DOM, then your application should also be vulnerable.
51.5
Let’s have a look at the source code. From project page, we will jump directly to the GitHub repo.
66.5
Since we are dealing with client XSS, then we should look inside the front end source code folder.
84.7
We are interested in something search related.
100.1
This script has all the search logic.
122
This is the search component class, which has several properties.
128.7
This property should hold search keywords. Let’s see where it is used.
147.3
Query parameter is passed to the bypassSecurityTrustHtml method implemented by the sanitizer.
164.6
It is provided by the DOM sanitizer.
177.4
DOM sanitizer is part of the Angular framework. Let’s check the documentation.
205.6
We should be at the right place. Let’s find the method we’re looking for.
242.1
Now, we know why the script didn’t trigger the model.
247.2
The image did, because it is considered safe HTML by this method.
255.6
Of course, this method is used intentionally to make the application vulnerable, but mistakes like this one are more common than you may think. Let’s see how to mitigate XSS. Choose well tested and actively maintained frameworks that automatically prevent XSS by default. Audit such frameworks to know available options and their limitations. Always escape data based on the context in the HTML output it will be included. Depending where the data will be displayed, different escaping techniques may be required. Enforce server side that security directives are sent to clients as part of responses. Consider adding appropriate security parameters. Enabling and enforcing a restrictive content security policy will help mitigating XSS as long as there is no other exploitable vulnerability to add malicious code.
311.1
In our next session, we will discuss insecure deserialization. Until then, take your time to carefully read the Cross-Site Scripting section of OWASP Top 10.

In this video, you will learn how to mitigate threats associated with XSS vulnerabilities.

You have learned how to hack into the OWASP Juice Shop by targeting XSS vulnerabilities, and now you need to know how to protect your system from similar attacks. In this video, you will follow a demonstration so you can learn how to assess the system protocols for vulnerabilities and how to alter these parameters to increase your security.

Investigate and share: Go to the OWASP Types of XSS pate and report back on what stands out to you know that you’ve completed this section.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education