What is the difference between cross-site scripting (XSS) and cross-site scripting inclusion (XSSI)? Are the defense...
methods any different?
There are various measures developers need to implement to defend against XSSI attacks. One is to pass a unique, unpredictable authorization token to the user and require that it gets sent back as an additional HTTP parameter before the server responds to any requests. Scripts should only respond to POST requests. This stops an authentication token being exposed as a URL parameter in a GET request, and it also prevents a script from being loaded via a script tag. Browsers may reissue GET requests, which can result in an action getting executed more than once, whereas reissued POST requests require the user's consent.
When handling JSON responses, prefix the response with some non-executable prefix such as "\n" to make sure the script is not executable. A script running in the same domain can read the contents of the response and strip out the prefix, but scripts running in other domains can't. Also avoid using JSONP (JSON with padding) to load confidential data from a different domain as this opens the door to phishing sites collecting data. Sending the response header "X-Content-Type-Options: nosniff" will also help protect Internet Explorer and Google Chrome users from XSSI attacks.
To combat XSS attacks in general, specify the CHARSET in the HTTP Content-Type response header or in the http-equiv attribute in the meta tag in the HTML code so browsers won't interpret special character encodings from other character sets. For those developing sites in ASP.NET, the Microsoft Anti-Cross Site Scripting Library can help protect Web applications from cross-site scripting bugs.
There are plenty of open source vulnerability scanning tools that developers can use to test if their code is not open to XSS attacks such as Vega, Wapiti, OWASP's Zed Attack Proxy and Skipfish. Sites should be scanned on a regular basis and certainly whenever changes to the underlying code are implemented or functionality that relies on third-party libraries is integrated into various pages.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now. (All questions are anonymous.)
Uncover the difference between cross-site tracing and cross-site scripting
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.