What is the difference between cross-site scripting (XSS) and cross-site scripting inclusion (XSSI)? Are the defense...
methods any different?
There are various measures developers need to implement to defend against XSSI attacks. One is to pass a unique, unpredictable authorization token to the user and require that it gets sent back as an additional HTTP parameter before the server responds to any requests. Scripts should only respond to POST requests. This stops an authentication token being exposed as a URL parameter in a GET request, and it also prevents a script from being loaded via a script tag. Browsers may reissue GET requests, which can result in an action getting executed more than once, whereas reissued POST requests require the user's consent.
When handling JSON responses, prefix the response with some non-executable prefix such as "\n" to make sure the script is not executable. A script running in the same domain can read the contents of the response and strip out the prefix, but scripts running in other domains can't. Also avoid using JSONP (JSON with padding) to load confidential data from a different domain as this opens the door to phishing sites collecting data. Sending the response header "X-Content-Type-Options: nosniff" will also help protect Internet Explorer and Google Chrome users from XSSI attacks.
To combat XSS attacks in general, specify the CHARSET in the HTTP Content-Type response header or in the http-equiv attribute in the meta tag in the HTML code so browsers won't interpret special character encodings from other character sets. For those developing sites in ASP.NET, the Microsoft Anti-Cross Site Scripting Library can help protect Web applications from cross-site scripting bugs.
There are plenty of open source vulnerability scanning tools that developers can use to test if their code is not open to XSS attacks such as Vega, Wapiti, OWASP's Zed Attack Proxy and Skipfish. Sites should be scanned on a regular basis and certainly whenever changes to the underlying code are implemented or functionality that relies on third-party libraries is integrated into various pages.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now. (All questions are anonymous.)
Learn how to prevent XSS attacks and XSS session hijacking
Uncover the difference between cross-site tracing and cross-site scripting
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading