Question

Use the Internet to research defenses against cross-site attacks (XSS and XSRF). What are the common defenses? How difficult are they to implement? Why are these defenses not used extensively? Write you finding here in your original post. Minimum 150 words for your response.

Answer 1

Although there have been a variety of proposed prevention

mechanisms, not all of them are effective in all scenarios. The

most popular implementation to prevent Cross-site Request

Forgery, is to make use of a challenge token that is associated with

a particular user and can be found as a hidden value in every state

changing form which is present on the web application. This pro-

tects the form because an attacker crafting a request will also need

to guess the anti-CSRF token for them to successfully trick a vic-

tim into sending a valid request. This token should be invalidated

after some time and after the user logs out. For the anti-CSRF

mechanism to be implemented properly, it will also need to be

cryptographically secure, so that the token itself cannot be easily

guessed, which is a possibility if the token is being generated

based on a predictable pattern.

One method of defending against XSS is checking the user’s

inputs against a whitelist, or known as sanitizing user inputs.

Blacklists are usually not recommended because it is difficult to

encompass all tricky and corner cases. Another method is escap-

ing user inputs, which means replacing certain characters with the

escape sequence, before they are passed to the HTML parser. The

Content security policy is implemented by the browser to help

mitigate XSS attacks. The web servers will specify a whitelist of

domains that are allowed for executable scripts. All other scripts,

including in-line scripts, are not allowed. XSS cannot defeat chal-

lenge-response defenses such as Captcha, re-authentication or

one-time passwords. All of this means work and time and effort,

which is why these defenses are not used as extensively as they should be.