A marketing and digital performance consultancy agency

Sécurisation des landing page et protection contre les failles XSS

When it comes to web developments, one of the major questions that we can ask ourselves is about the security, especially when forms are created in landing pages (web pages dedicated for example to a sales offer, a specific product or a campaign which aim is to convert visitors to prospects or customers.

The Web and vulnerable forms are one big playground for hackers. Different security attacks can be encountered. They could be all mentioned, but in this article, we will only focus on the ones related to the XSS attacks. It will be explained what it is about and how to avoid it.

Why focusing on XSS attacks and not on others?

It is one of the most common security attacks in dynamic web sites . It belongs to the family of attacks by injection, commonly called “Cross-Site Scripting”, it figures in the Top 10 of the OWASP (Open Web Application Security Project : an online community which produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security) security risks.

What are XSS attacks ?

Those attacks target web sites displaying user content dynamically without checking and encoding the data filled by the users (for example a user can filled special characters in the form which will be executed as computer code by the browser).
The attacks aim for example to execute remote code, inject SQL, redirect the user, or steal information (for example session authentication or cookies).

The type of XSS attacks are very broad because the hackers can use all computer languages take into account by the browser (JavaScript, Java…) and new options are regularly discovered.

How to avoid them ?

Precautions must be taken, among them:

1. Special characters encoding

Among the special characters, some (for example: & < > ” ‘/) when they are placed at the beginning of a command line are not interpreted as data but as code. They can be interpreted in the code and treated. Their use must be restricted, and they must be “escaped”, meaning replaced by something that won’t be interpreted on front-end and back-end (for example their HTML equivalents, so for “&” it will be replaced by “&”).

2. Check the parameters entered as arguments, their value and their name

3. Restrict the data length

4. Check the format of the data filled by the user by setting up patterns on the front-end side and regex on the back-end side.

There is a lot of tools used to automate intrusion tests, among them there are OWASP ZAP, Skipfish, Nessus/OpenVAS, etc…

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

GLOSSARY

Attack by injection : allow to a hacker to grant himself an admission in a program, interpreted as a command or request which will modify the way the software or computer code are executed.

SQL injection : attack which aims to inject in an SQL request being processed a piece of another request not expected by the system and which can damaged the security.

Front-end : this is the client side (web browser), so the visible part of a web site, meaning the web site components that the user will see on the screen and with which he can interact.

Back-end : this is the web side part not accessible by the users and which enable to manage the content and parameters of the web site.

Pattern : the pattern attribute specifies a regular expression which defines the rule applied regarding an input value validation.

Regex : (regular expression) sequence of characters used in programming for pattern matching, which can enable for example to check the data entry format.