Ask HN: What's the current state of XSS attacks?

Llevel · on March 8, 2016

This post didn't gain much traction, but XSS attacks are still pretty popular and Google awards up to $7500 for XSS attacks[1]. React and Angular may help prevent XSS attacks, and while I don't know specifics, they likely do have some ingrained tools to prevent it occurring. I wouldn't be surprised if a XSS exploit could find a way around client-size sanitization though. In a perfect world, all strings coming from your server would be pre-escaped.

Rails is 'immune' in the sense that it doesn't let you directly drop HTML onto pages from strings without escaping it first, and if you would like to do so, you have to explicitly mark the string as safe[2]. This isn't to say that XSS is no longer an issue though, Rails and other frameworks help prevent these occurrences in many cases in simple applications, but larger scale applications have a lot more code and a lot more ways to punch holes in that protection. In fact using Express with with Node.js doesn't sanitize your strings by default (as far as my quick research has shown), which leaves a potential attack vector.

While XSS is a very well known vector, XSS attacks are not uncommon in non-boilerplate web applications. Fortunately sanitization is easy and bugs can often be fixed quickly.

Browsers can prevent some methods of XSS, such as by preventing loading JS from a remote untrusted source. If you find a way to drop JS directly onto a page that the browser can't catch (such as the entire JS source being delivered by the server), there's still vulnerability.

OWASP tends to be the place to go to learn about web security[3]. They have lots of examples of potential exploits.

[1] https://www.google.ca/about/appsecurity/reward-program/ [2] http://stackoverflow.com/a/3932440 [3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

alltakendamned · on March 8, 2016

You might want to check out http://www.html5sec.org for an overview of more up to date vectors.