After our article summarizing and describing the TOP 10 OWASP attacks, we will focus on each of them and explain what has been set up within our very high security Cloud CerberHost to overcome them. One of the greatest plagues on the web is Cross Site Scripting attacks, often called XSS.
The different kinds of Cross Site Scripting (XSS)
Cross Site Scripting (XSS) is one of the principal scourges on the web, in terms of both volume and consequences. These attacks are very widespread and an IP is often “scanned” many times a day, in search of vulnerabilities of this kind.
There are many types of XSS, the most common of which are:
… which are detailed below.
The underlying concepts of XSS attacks
There are many ways to exploit “XSS” vulnerabilities.
Most XSS attacks manage to see the light of day based on the same vulnerability: users’ entry control. For instance, in a website’s form, if the programmer (or his/her framework, like Sympfony or Zend do) took care to control the data sent by the user, the XSS cannot take place. However, most of the time, these entries are not properly controlled, or even not at all.
If the programmer did not do it, a WAF (Web Application Firewall) can deal with it if it is properly configured.
L’utilité du WAF dans le cas des XSS
A WAF (Web Application Firewall) like NAXSI is a tool capable of cleaning the traffic and banning dangerous GET or POST requests. This cleaning is essential to protect a website whose source code can be vulnerable.
Its job mainly consists in studying if dangerous characters are used in convergence with some words. For instance, if one finds “Robert<script>alert(document.cookie)</script>” in a name field of a form, it is abnormal.
Traditional WAFs (not including NAXSI) generally use a signature system and thus are likely to be deceived if an attack’s signature is new or modified, but if they detect a signature that has the trace of a malicious action, they block it even if it is known.
CerberHost’s answers to Cross Site Scripting attacks
Before every production launch, websites are subject to an intrusive applicative audit, which also allows to reveal its potential vulnerabilities and to generate a set of even stricter rules in order to protect it at best.
CerberHost also enables, thanks to NAXSI, to do what we call Virtual Patching. . This method consists in correcting, upstream, bugs or applicative flaws on reverse proxies or on the WAF, without correcting the code itself. All there is to do is to set up rules systematically protecting the access to this vulnerability.
NAXSI being very light, it can filtrate all requests, GET or POST; an action that WAFs relying on signatures and not rules cannot always do.
The typical example is the XML-RPC flaw that Magento experienced a few months ago. By applying an upstream protection rule on all of our machine park, we were able to give our clients and web agencies time to correct the bug, without being at risk in the meantime.
CerberHost protects your website against all Top 10 OWASP attacks, and much more.
To discover CerberHost in pictures, watch its presentation video HERE