Home Computer Input Validation

Input Validation

3. Contextual Encoding

5. Content Security Policy

In the Input validation technique, a regular expression is applied for every request parameter data i.e., user-generated content. Only if the content passes through a safe regular expression, it is then allowed. Otherwise, the request will be failed on the server-side with 400 response code.

Advantages:

Input validation not only reduces XSS but protects almost all vulnerabilities that may arise due to trusting user content.

Disadvantages:

  1. It might be possible to mitigate an XSS in the phone number field by having a numeric regular expression validation but for a name field, it might not be possible as names can be in multiple languages and can have non-ASCII characters in Greek or Latin alphabets.
  2. Regular expression testing is performance intensive. All parameters in all requests to a server must be matched against a regular expression.

Cross Site Scripting (XSS) Prevention Techniques

XSS or Cross-Site Scripting is a web application vulnerability that allows an attacker to inject vulnerable JavaScript content into a website. An attacker exploits this by injecting on websites that doesn’t or poorly sanitizes user-controlled content. By injecting vulnerable content a user can perform (but not limited to),

  1. Cookie Stealing.
  2. Defacing a website.
  3. Bypassing CSRF Protection etc.,

There are multiple ways by which a web application can protect itself from Cross-Site Scripting issues. Some of them include, 

  1. Blacklist filtering.
  2. Whitelist filtering.
  3. Contextual Encoding.
  4. Input Validation.
  5. Content Security Policy.

Similar Reads

1. Blacklist filtering

It is easy to implement a filtering technique that protects the website from XSS issues only partially. It works based on a known list of finite XSS vectors. For example, most XSS vectors use event listener attributes such as onerror, onmouseover, onkeypress etc., Using this fact, users given HTML attributes can be parsed and these event listeners attributes. This will mitigate a finite set of XSS vectors such as ....

2.  Whitelist Filtering

Whitelist filtering is the opposite of blacklist based filtering. Instead of listing out unsafe attributes and sanitizing user HTML with this list, whitelist filtering lists out a set of set HTML tags and attributes. Entities that are known to be sure safe are maintained and everything else will be filtered out....

3. Contextual Encoding

The other common mitigation technique is to consider all user given data as textual data and not HTML content, even if it is an HTML content. This can be done performing HTML entity encoding on user data.  Encoding

test

may get converted to 
<test> test </>
The browser will then parse this correctly and render

test

as text instead of rendering it as h1 HTML tag....

4. Input Validation

In the Input validation technique, a regular expression is applied for every request parameter data i.e., user-generated content. Only if the content passes through a safe regular expression, it is then allowed. Otherwise, the request will be failed on the server-side with 400 response code....

5. Content Security Policy

The modern browser allows using of CSP or Content Security Policy Headers. With these headers, one can specify a list of domains only from which JavaScript content can be loaded. If the user tries to add a vulnerable JavaScript, CSP headers will block the request....

Tags:
#Cyber-security #Computer Subject

3. Contextual Encoding

5. Content Security Policy

Contact Us

Categories
Learn the most popular programming languages in the world.