Mitigation

Welcome to the third and last part of Cross-Site Scripting session. In this part, we will discuss cross-site scripting mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing this session, we will discuss how to avoid such vulnerabilities. Applications tend to accept data from external sources, either user input or integrated third party services. If such data is included in HTML responses without proper validation and escaping, then the application might be vulnerable. If you’re using JavaScript frameworks, or you have a single page application which uses unsafe JavaScript APIs to append attackers controllable data to the DOM, then your application should also be vulnerable.

Let’s have a look at the source code. From project page, we will jump directly to the GitHub repo.

Since we are dealing with client XSS, then we should look inside the front end source code folder.

We are interested in something search related.

This script has all the search logic.

This is the search component class, which has several properties.

This property should hold search keywords. Let’s see where it is used.

Query parameter is passed to the bypassSecurityTrustHtml method implemented by the sanitizer.

It is provided by the DOM sanitizer.

DOM sanitizer is part of the Angular framework. Let’s check the documentation.

We should be at the right place. Let’s find the method we’re looking for.

Now, we know why the script didn’t trigger the model.

The image did, because it is considered safe HTML by this method.

Of course, this method is used intentionally to make the application vulnerable, but mistakes like this one are more common than you may think. Let’s see how to mitigate XSS. Choose well tested and actively maintained frameworks that automatically prevent XSS by default. Audit such frameworks to know available options and their limitations. Always escape data based on the context in the HTML output it will be included. Depending where the data will be displayed, different escaping techniques may be required. Enforce server side that security directives are sent to clients as part of responses. Consider adding appropriate security parameters. Enabling and enforcing a restrictive content security policy will help mitigating XSS as long as there is no other exploitable vulnerability to add malicious code.

In our next session, we will discuss insecure deserialization. Until then, take your time to carefully read the Cross-Site Scripting section of OWASP Top 10.