How online business owners can protect themselves against XSS (cross-site scripting) attacks

(Image credit: Image source: Shutterstock/lolloj)

The most successful online businesses function as a digital community where the customers are active participants and have the ability to interact with one another. For example, if you are running an online store that sells books or movies, you as the owner will want to allow users to post reviews and comments so they can share their own opinions.

However, by giving end users the permission to add their own content, you may open your website to the danger of cross site scripting (XSS) attacks. These attacks can be launched through any text field or HTML element that will send a direct web request to your backend server.

When an XSS attack is executed, the attacker will trick your website into displaying illegitimate content and then persuade other users to click on a button or run a script that could make their personal data vulnerable. Such a breach can result in a devastating blow to a company's reputation.

There are several steps that an online business owner can take in order to protect their website and users from XSS attacks. Read on to learn the best strategies to employ.

Secure user cookies

One of the primary targets for XSS attacks is user cookies, which are the unique stored strings that allow websites to remember your identity and keep you logged in. But if an attacker is able to run JavaScript code on your website through XSS, then there is a chance user cookies could be hacked and obtained.

The smartest way to protect user cookies from XSS attacks is through the HTTPOnly parameter. By enabling this option, all new cookies generated on your website will be instructed to only respond to requests that originate from the host server. Therefore, attempts to access a cookie's value through XSS will be rejected as it is coming through an external source.

Setting your website's cookies to use HTTPOnly is very straightforward but differs depending on your coding environment. With PHP, you simply need to add the tag when creating a new cookie through a header call:

  • header( "Set-Cookie: name=example; httpOnly" )

Use HTML encoding and escaping

When you enter special text characters, like percentage symbols or ampersands, into the URL field at the top of a web browser, you may notice that the application will convert your text into a number-based coding. This is an example of the process of HTML encoding and escaping, which sets standards for how special characters are handled by browsers.

When it comes to building a website and running an online business, you want to encode and escape any text content that is coming from an outside user before it hits your backend servers. By adding this type of protection, your web application will scan the incoming text and convert it to safe HTML content.

In the PHP coding language, developers can use the htmlentities() function to automatically encode and escape strings of text. It's smart to add this function to all web requests that accept external content, as it will prevent the raw HTML from reaching your servers and initiating an XSS attack.

Add a sanitising tool

Depending on the needs of your business, you may want to provide outside users with the ability to post stylised text and images to your website. For example, giving customers the option to add bold text, custom fonts, and border designs may make them more interested in posting reviews or comments.

The largest downside in adding support for HTML entry on your website is the higher risk of XSS attacks. Because you are allowing fields to include HTML and CSS attributes, hackers will likely try to infiltrate your application with JavaScript code or HTML header modifications.

Before going live with your website, be sure to leverage a sanitation library that will automatically parse and clean any external HTML content sent through your website. PHP coders can use the HTML Purifier tool while other options include OWASP Java HTML Sanitizer and HtmlSanitizer.

Restrict text entry

If you do not need to allow stylised HTML content to be submitted through your website, then it's best to add another layer of XSS protection and block certain text characters. Outside users will still be able to enter free text within fields on your website, but once they try to submit the form, the application will reject it and block the attack attempt.

The two most critical text characters to restrict on your website are the greater than and less than symbols. These are used all the time in programming, as they represent the beginning and end of an HTML element. They are also utilised in JavaScript commands, which are where the majority of XSS attacks originate.

To strip out the greater than and less than symbols from outside submissions, you can use any simple text filtering function in your code to identify the characters and either remove them entirely or redirect the user to an error page.

Test every input

No matter how many code protections you've put in place to prevent XSS intrusions from infiltrating your website and compromising your users' data, there's no replacement for diligent testing. With widespread data breaches from a predictable array of likely attack vectors occurring courtesy of “trusted” organisational sources (like your government), checking for XSS vulnerabilities should be a key part of your quality assurance plan during the initial launch of your online business and through any subsequent code changes.

When thinking about XSS attacks, you must consider every input option that is available to outside users through your website. This can include username and password fields, search boxes, and question submission areas. As part of your testing, use a basic JavaScript function like alert() which will generate a pop-up window (simple but effective).

If your online business includes financial transactions or private data, invest in an outside security audit. This type of code review will specifically check for XSS attack risks and provide customised suggestions for how to prevent them.

Sam Bocetta, freelance journalist
Image source: Shutterstock/lolloj