We recently added the following Security+ practice test question on protecting against XSS to the online test banks. Can you answer it?
Q. An attacker has launched several successful XSS attacks on a web application within your DMZ. The following graphic shows part of your network.
You determine that the attacker is launching the attacks via an anonymizer. Which of the following are the BEST choices to implement on the web server to prevent this attack? (Select TWO.)
A. Baseline reporting
B. Input validation
C. Code review
D. WAF
E. URL filtering
F. Column level access control
Do you know the answer? More, do you know why the correct answer is correct and why the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
XSS Attacks
Cross-site scripting (XSS) is a web application vulnerability that allows attackers to embed malicious HTML or JavaScript code into an email, web site page, or web site error message. HTML and Javascript code requires the use of tags surrounded with the < and > characters and you’ll commonly see XSS attacks using these tags.
For more information on XSS attacks, check out these posts:
Two common protections against XSS attacks are input validation and a web application firewall (WAF).
Protecting Against XSS with Input Validation
Input validation is the practice of checking data for validity before using it and it is one of the primary ways you can protect against XSS attacks. As an example, consider the following log in screen.
Before creating the account, input validation techniques can prevent users from entering an email address with a < or > character. Similarly, input validation techniques can prevent users from using these characters in the password.
Then when a user attempts to log on, input validation techniques check
When a user attempts to log on, proper input validation will look at the email address and ensure it follows the format of an email address (with an @ symbol and domain name separated by a dot, such as gmail.com). It can also ensure that the email and password do not use the < or > characters. This prevents an attacker from sending malicious code to an application by either sanitizing the input to remove malicious code or rejecting the input.
For more information on input validation, check out this post.
Protecting Against XSS with a WAF
A web application firewall (WAF) is a firewall specifically designed to protect a web application. It is typically placed logically between a server hosting a web application and the Internet client. Traffic from the client is sent to the WAF first.
The WAF can monitor the traffic, and filter or block potentially malicious traffic. For example, administrators can configure the WAF to block traffic from specific URLs (such as from anonymizers or from foreign countries). A WAF can also examine the contents of traffic, and block traffic that includes malicious content (such as embedded HTML or Javascript code).
For more information on a WAF, check out this post.
So, can you answer this question?
Q. An attacker has launched several successful XSS attacks on a web application within your DMZ. The following graphic shows part of your network.
You determine that the attacker is launching the attacks via an anonymizer. Which of the following are the BEST choices to protect the web server and prevent this attack? (Select TWO.)
A. Baseline reporting
B. Input validation
C. Code review
D. WAF
E. URL filtering
F. Column level access control
B and D are correct. Input validation and a web application firewall (WAF) are the best choices of the available answers. Both provide protection against cross-site scripting (XSS) attacks. Input validation validates data before using it to help prevent XSS attacks. A WAF acts as an additional firewall that monitors, filters, and/or blocks HTTP traffic to a web server. In the scenario, it can block traffic from anonymizers.
While developers can configure the web application in multiple ways, it is most likely working this way:
- A user accesses the Web Server to log on
- The Web Server communicates with the Customer Data Server to check the user’s credentials
- Once authenticated, the Web Server communicates with the Application Database Server to serve application data
- It’s unlikely that the Application Source Code would be used during a user session
A is incorrect. Baseline reporting is the process of comparing systems against a baseline to identify discrepancies or anomalies. As an example, a security baseline configures systems in a known secure state. Later, administrators can audit the systems to ensure they are still in the same known secure state.
C is incorrect. A code review goes line-by-line through code to help detect vulnerabilities. While it is a good preventative measure, it should be done before the code has been placed on a live web server.
E is incorrect. URL filtering can filter traffic from known anonymizers. However, a WAF provides URL filtering in addition to other security protections, so it is a better choice. URL filtering is a good choice to protect the back-end servers by ensuring that the web server can access them, but attackers from outside the network cannot access them.
F is incorrect. Column level access control provides protection for a database. For example, you can encrypt columns that hold passwords or credit card data. Similarly, you can use record level access control to protect entire records within a database.