In: Computer Science
Use the Internet to research defenses against cross-site attacks (XSS and XSRF). What are the common defenses? How difficult are they to implement? Why are these defenses not used extensively? Write you finding here in your original post. Minimum 150 words for your response.
Although there have been a variety of proposed prevention
mechanisms, not all of them are effective in all scenarios. The
most popular implementation to prevent Cross-site Request
Forgery, is to make use of a challenge token that is associated with
a particular user and can be found as a hidden value in every state
changing form which is present on the web application. This pro-
tects the form because an attacker crafting a request will also need
to guess the anti-CSRF token for them to successfully trick a vic-
tim into sending a valid request. This token should be invalidated
after some time and after the user logs out. For the anti-CSRF
mechanism to be implemented properly, it will also need to be
cryptographically secure, so that the token itself cannot be easily
guessed, which is a possibility if the token is being generated
based on a predictable pattern.
One method of defending against XSS is checking the user’s
inputs against a whitelist, or known as sanitizing user inputs.
Blacklists are usually not recommended because it is difficult to
encompass all tricky and corner cases. Another method is escap-
ing user inputs, which means replacing certain characters with the
escape sequence, before they are passed to the HTML parser. The
Content security policy is implemented by the browser to help
mitigate XSS attacks. The web servers will specify a whitelist of
domains that are allowed for executable scripts. All other scripts,
including in-line scripts, are not allowed. XSS cannot defeat chal-
lenge-response defenses such as Captcha, re-authentication or
one-time passwords. All of this means work and time and effort,
which is why these defenses are not used as extensively as they should be.