Fixing Blind XSS via Cookies

G5 Cyber Security

2 weeks ago

TL;DR

A sneaky type of Cross-Site Scripting (XSS) can happen if your website reads data from cookies and then displays it without checking what’s inside. This guide shows you how to spot this problem and fix it, making sure attackers can’t run malicious code on your users’ browsers.

Understanding the Problem

Blind XSS via cookie means an attacker injects JavaScript into a cookie value. Your website then reads that cookie and displays its contents without properly sanitising (cleaning) it, allowing the injected script to execute in the user’s browser. Because the attacker doesn’t directly see the output of their injection – hence ‘blind’ – it can be harder to detect.

How to Fix It: Step-by-Step

Identify Cookie Usage

First, find all places in your code where you read values from cookies. Look for functions like document.cookie in JavaScript or equivalent methods in your server-side language (e.g., PHP’s $_COOKIE).

Check Input Validation and Output Encoding

For each cookie value you use, ask yourself: Is the data validated before being used? Is it encoded correctly when displayed?

Validation: Ensure the cookie only contains expected characters. For example, if a cookie should store a username, reject any values containing HTML tags or JavaScript code.
Encoding: Always encode data before displaying it in HTML. This prevents browsers from interpreting potentially malicious code as actual instructions.

HTML Encoding Examples

Here are some common encoding techniques:

JavaScript (Client-Side): Use a function to escape special characters. For example:
```
function htmlEncode(str) {
  return str.replace(/&/g, '&').replace(//g, '>');
}
```

PHP (Server-Side): Use htmlspecialchars():

$safe_value = htmlspecialchars($cookie_value, ENT_QUOTES, 'UTF-8');

Python (Server-Side – using a library like `html`):
```
import html
safe_value = html.escape(cookie_value)
```

Content Security Policy (CSP)

Implement a strong Content Security Policy to restrict the sources from which your website can load resources, including scripts. This adds an extra layer of defence against XSS attacks.

Example CSP header:

Content-Security-Policy: default-src 'self'; script-src 'self'

HttpOnly Cookies

Set the HttpOnly flag on cookies that don’t need to be accessed by client-side JavaScript. This prevents attackers from reading cookie values using cross-site scripting, reducing the risk of stealing sensitive information.

// Example (PHP):
setcookie('my_cookie', 'value', ['httponly' => true]);

Regular Security Audits

Perform regular security audits and penetration testing to identify potential vulnerabilities, including XSS flaws. Automated scanning tools can help, but manual review is also essential.

Important Considerations

Encoding at the Right Place: Encode data *immediately before* displaying it in HTML, not when you first read it from the cookie.
Context Matters: Use the appropriate encoding method for the context where the data is being displayed (HTML, JavaScript, CSS, etc.).
Stay Updated: Keep your website’s software and libraries up to date to benefit from security patches.