Cross-Site Scripting, a Top 10 threat


XSS is one of the most common attacks a website will face, we can help

What is XSS?

Cross-Site Scripting, or XSS, has consistently been ranked as one of the Top 10 threats a web application will face by OWASP, the Open Web Application Security Project. In short, XSS happens when an attacker can inject something into your website that you don't want to be there.

Imagine a comment or review section on your site where customers or visitors can leave their own remark. They're supposed to type a nice message into the field which will then be saved and shown on your website to other visitors. What if they type something else in there? What if they type malicious code in the field?

Whilst a basic example, this is the very essence of an XSS attack; someone managed to get hostile code into your website.



An example of XSS

Mitigating XSS

The first lines of defence against XSS are a combination of input sanitisation and output encoding. Using the example above, when the user submits a comment or review you should check that it doesn't contain anything hostile, like JavaScript, which should be filtered or rejected. The second step is to then properly encode the comment when being rendered into the HTML context to be displayed on the website.

If done properly these methods would protect a site from XSS attacks like our example, but having just a single line of defence is never a great idea, we need defense-in-depth. There are also many other ways that this hostile script could find its way into your site, input sanitisation and output encoding simply aren't enough.

The XSS Auditor

Many browsers have an XSS Auditor built in that will try and detect a subset of XSS attacks and neutralise them.

Not only can the XSS Auditor neutralise those attacks, it can send a report and include the malicious payload the attacker tried to use.

To configure the XSS Auditor and enable reporting, check out our product page: XSS Auditor



An example CSP report

Content Security Policy

The last and ultimate line of defence against XSS is Content Security Policy. With CSP we change the approach slightly by whitelisting all allowed content on our site. If content is whitelisted then it is allowed to run, if it's not then the browser will block it.

With this approach if hostile content is somehow injected into your site and gets by other countermeasures, the browser will be your last line of defense and neutralise the attack. The final piece of the puzzle if of course reporting.

With CSP reports sent back by the browser you can know that an attack was neutralised and then address the root cause using the information in the report itself.



An example CSP report

Some facts about us

21k+ Sites Monitored
170b+ Reports Processed
10+ Alexa Top 1,000

Simple Pricing

Select your usage

$0.00

Per Month*

  • 10 000 reports per month
  • 3 sites monitored
  • 90 day retention
  • Team Access
  • Email Support

Enterprise Accounts

We can tailor a package to your exact requirements with custom usage, billing and SLA. You need an enterprise account if you're looking for any of the following features, just get in touch!
enterprise@report-uri.com

  • Invoicing
  • Managed/Dedicated Instance
  • Geographic Hosting/Processing
  • Custom or Unlimited Usage
  • Support SLA
  • Custom Terms

We're Trusted By

Award Winning Service