How XSS/CRSF attaks can be mitigated

by admin on Apr.22, 2009, under attacks, csrf, xss

What is an XSS / CSRF attacks ?

This kind of attacks targets the user. The goal is to force the user’s browser to send some requests to the web server exactly as the user would did it.

How this attack is performed ?

XSS / CSRF attacks are generally performed in 4 phases:

Phase 1 : Injection phase

During this phase the hacker inject the html or css or javascript on the vulnerable web site.

Phase 2 : Code obtention phase

The user download a javascript file which is hosted on another web site (this phase is not mandatory, but more comfortable for the hacker, else he will have to send the entire payload during the phase)

Phase 3 and 4: Code execution

During these phases, the browser execute the Code. Usually, the first step consists to retrieve the session cookie, then the second, to send a forged request to the web site. The request will be granted by the Web server because of the session cookie

XSS CSRF 4

How to mitigate this kind of attacks ?

It is possible on the server side and/or on the client side.

On the server side :

Take in consideration the security during the development. Basically, controlling all user input is a good idea.
To prevent sessions cookie to be accessible from JavaScript, you can use the HTTPOnly flag
Use a Web Application Firewall to prevent code injection.

On the client side :

I strongly recommend to use NoScript on firefox. This addon allow to execute Javascript only when you need it.

RSS feed for this post (comments) · TrackBack URI

Howdy. Welcome to Johanne Ulloa!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
Recent Posts
Browse by tags
WAF

Categories
- attacks
  - csrf
  - xss
- Uncategorized
- WAF

Language
- Français
- English

Johanne Ulloa