The most successful online businesses function as a digital community where the customers are active participants and have the ability to interact with one another. For example, if you are running an online store that sells books or movies, you as the owner will want to allow users to post reviews and comments so they can share their own opinions.
However, by giving end users the permission to add their own content, you may open your website to the danger of cross site scripting (XSS) attacks. These attacks can be launched through any text field or HTML element that will send a direct web request to your backend server.
When an XSS attack is executed, the attacker will trick your website into displaying illegitimate content and then persuade other users to click on a button or run a script that could make their personal data vulnerable. Such a breach can result in a devastating blow to a company's reputation.
There are several steps that an online business owner can take in order to protect their website and users from XSS attacks. Read on to learn the best strategies to employ.
Secure user cookies
The smartest way to protect user cookies from XSS attacks is through the HTTPOnly parameter. By enabling this option, all new cookies generated on your website will be instructed to only respond to requests that originate from the host server. Therefore, attempts to access a cookie's value through XSS will be rejected as it is coming through an external source.
Setting your website's cookies to use HTTPOnly is very straightforward but differs depending on your coding environment. With PHP, you simply need to add the tag when creating a new cookie through a header call:
- header( "Set-Cookie: name=example; httpOnly" )
Use HTML encoding and escaping
When you enter special text characters, like percentage symbols or ampersands, into the URL field at the top of a web browser, you may notice that the application will convert your text into a number-based coding. This is an example of the process of HTML encoding and escaping, which sets standards for how special characters are handled by browsers.
When it comes to building a website and running an online business, you want to encode and escape any text content that is coming from an outside user before it hits your backend servers. By adding this type of protection, your web application will scan the incoming text and convert it to safe HTML content.
In the PHP coding language, developers can use the htmlentities() function to automatically encode and escape strings of text. It's smart to add this function to all web requests that accept external content, as it will prevent the raw HTML from reaching your servers and initiating an XSS attack.
Add a sanitising tool
Depending on the needs of your business, you may want to provide outside users with the ability to post stylised text and images to your website. For example, giving customers the option to add bold text, custom fonts, and border designs may make them more interested in posting reviews or comments.
Before going live with your website, be sure to leverage a sanitation library that will automatically parse and clean any external HTML content sent through your website. PHP coders can use the HTML Purifier tool while other options include OWASP Java HTML Sanitizer and HtmlSanitizer.
Restrict text entry
If you do not need to allow stylised HTML content to be submitted through your website, then it's best to add another layer of XSS protection and block certain text characters. Outside users will still be able to enter free text within fields on your website, but once they try to submit the form, the application will reject it and block the attack attempt.
To strip out the greater than and less than symbols from outside submissions, you can use any simple text filtering function in your code to identify the characters and either remove them entirely or redirect the user to an error page.
Test every input
No matter how many code protections you've put in place to prevent XSS intrusions from infiltrating your website and compromising your users' data, there's no replacement for diligent testing. With widespread data breaches from a predictable array of likely attack vectors occurring courtesy of “trusted” organisational sources (like your government), checking for XSS vulnerabilities should be a key part of your quality assurance plan during the initial launch of your online business and through any subsequent code changes.
If your online business includes financial transactions or private data, invest in an outside security audit. This type of code review will specifically check for XSS attack risks and provide customised suggestions for how to prevent them.
Sam Bocetta, freelance journalist
Image source: Shutterstock/lolloj