Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more


In this video, Paulo Silva will explain how to mitigate threats associated with XSS vulnerabilities, and assess the system protocols.
Welcome to the third and last part of Cross-Site Scripting session. In this part, we will discuss cross-site scripting mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing this session, we will discuss how to avoid such vulnerabilities. Applications tend to accept data from external sources, either user input or integrated third party services. If such data is included in HTML responses without proper validation and escaping, then the application might be vulnerable. If you’re using JavaScript frameworks, or you have a single page application which uses unsafe JavaScript APIs to append attackers controllable data to the DOM, then your application should also be vulnerable.
Let’s have a look at the source code. From project page, we will jump directly to the GitHub repo.
Since we are dealing with client XSS, then we should look inside the front end source code folder.
We are interested in something search related.
This script has all the search logic.
This is the search component class, which has several properties.
This property should hold search keywords. Let’s see where it is used.
Query parameter is passed to the bypassSecurityTrustHtml method implemented by the sanitizer.
It is provided by the DOM sanitizer.
DOM sanitizer is part of the Angular framework. Let’s check the documentation.
We should be at the right place. Let’s find the method we’re looking for.
Now, we know why the script didn’t trigger the model.
The image did, because it is considered safe HTML by this method.
Of course, this method is used intentionally to make the application vulnerable, but mistakes like this one are more common than you may think. Let’s see how to mitigate XSS. Choose well tested and actively maintained frameworks that automatically prevent XSS by default. Audit such frameworks to know available options and their limitations. Always escape data based on the context in the HTML output it will be included. Depending where the data will be displayed, different escaping techniques may be required. Enforce server side that security directives are sent to clients as part of responses. Consider adding appropriate security parameters. Enabling and enforcing a restrictive content security policy will help mitigating XSS as long as there is no other exploitable vulnerability to add malicious code.
In our next session, we will discuss insecure deserialization. Until then, take your time to carefully read the Cross-Site Scripting section of OWASP Top 10.

In this video, you will learn how to mitigate threats associated with XSS vulnerabilities.

You have learned how to hack into the OWASP Juice Shop by targeting XSS vulnerabilities, and now you need to know how to protect your system from similar attacks. In this video, you will follow a demonstration so you can learn how to assess the system protocols for vulnerabilities and how to alter these parameters to increase your security.

Investigate and share: Go to the OWASP Types of XSS pate and report back on what stands out to you know that you’ve completed this section.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now