In this article, the authors provide an overview of cross-site scripting (XSS) attacks and defenses against them. After a brief introduction to XSS, which ranks at or near the top of widely used software security risk lists, the authors describe the three types of exploits--reflected, stored, and document object model (DOM)-based--and illustrate them with examples.
Subsequently, they discuss various XSS defenses, which are classified as defensive coding practices, XSS testing, vulnerability detection, and runtime attack prevention. Both the fundamental functioning and concrete approaches and tools developed by security researchers are discussed and compared for each defense. After discussing the strengths and weaknesses of each method, the authors present several XSS defense tools that are available online, including libraries that can assist developers in defensive coding, static analysis tools, and both server-side and client-side runtime attack prevention programs, as well as a number of scanners.
While defensive coding practices that build input validation and sanitization into the code are considered the best methods for addressing XSS vulnerabilities, they cannot always be enforced in deployed environments and are labor intensive and prone to human error. Other defense methods, which seek to identify XSS flaws in Web applications and scripts or to prevent attacks during runtime, have various weaknesses as well, such as inherent limitations, incomplete implementations, complex frameworks or runtime overhead, and intensive labor requirements. The authors propose two ways to address these weaknesses: build in more effective input validation and sanitization in the development phase, and improve the precision and effectiveness of vulnerability detection.
The article addresses a broad audience, albeit one with a technical background. The included figures provide code snippets and details about communication protocols used during an attack so that readers with technical backgrounds can understand all of the relevant details; they can then implement Web pages correctly to avoid XSS vulnerabilities.