Protection againts Cross Site Scripting (XSS){1}


The authors of this article wrote about how to protect JavaScript code against
cross site scripting(XSS). XSS is considered to be one of the biggest weaknesses in
web-based programs. XSS usually done by entering JavaScript Code into HTML
contents,like for example an input text box or comment box on a web page. Once this
JavaScript code has been entered it can be possible for a hacker to access important
information that is available within the web site and transfer it to a third part
website. This is how phishing and “cross site request forgery” can happen. The authors
propose a server side approach in detecting JavaScript injections. How it works is when
they are writing JavaScript code they make sure to write comments before and after
the block of code in the JavaScript. Within these comment statements there will be a
certain identification number that will be kept on record. When ever a response page
is generated the server will check to make sure that each JavaScript code has that
certain identification number commented inside the block of code. When the identification
number can not be found with in the block of code, then that whole code is thrown out
because it will be considered to be injected and possibly harmful.

I think this relates to our class because it talks about JavaScript and its vulnerabilities
in cross site scripting. It also kind of gives us an idea on how to go about preventing and
detecting any cross site scripting that can be dangerous to the users of a website.

Overall this article seemed very interesting but was a little hard to follow and took me
awhile to understand how the process of detecting XSS worked. I think the reason I found
it to be interesting is because I wanted to see how people actually perform XSS. I also
wanted to see what can possibly be done to stop and or prevent website from being injected
with JavaScript that can be dangerous. Its a good article and I would recommend anyone to
read it if they want to learn one possible way of preventing XSS on websites.

Reference:
Shahriar, H.; Zulkernine, M.; , “Injecting Comments to Detect JavaScript Code Injection Attacks,”
Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual , vol.,
no., pp.104-109, 18-22 July 2011 doi: 10.1109/COMPSACW.2011.27