Cross-Site Scripting (XSS) Attacks
Cross-Site Scripting (XSS) Attacks
XSS attacks inject malicious scripts into web applications, executing in users' browsers to steal credentials, hijack sessions, or deface websites. Firewalls detect XSS attempts by analyzing request content for script patterns and malicious payloads.
Implement comprehensive XSS detection:
// XSS pattern detection engine
class XSSDetector {
constructor() {
this.xssPatterns = [
// Script tags
/<script[\s>]/i,
/<\/script>/i,
// Event handlers
/\bon\w+\s*=/i,
// JavaScript protocols
/javascript:/i,
/vbscript:/i,
// Data URIs with scripts
/data:.*script/i,
// SVG-based XSS
/<svg.*onload/i,
// Style-based XSS
/style\s*=.*expression\s*\(/i,
// Encoded patterns
/\\x3cscript/i,
/\\u003cscript/i,
/%3Cscript/i
];
this.contextualPatterns = {
'html': [
/<[^>]+>/,
/&[#\w]+;/
],
'attribute': [
/['"].*on\w+=/i,
/javascript:/i
],
'url': [
/javascript:/i,
/data:.*base64/i
]
};
}
detectXSS(input, context = 'html') {
// Check against general patterns
for (let pattern of this.xssPatterns) {
if (pattern.test(input)) {
return {
detected: true,
pattern: pattern.toString(),
severity: 'high'
};
}
}
// Context-specific checks
if (this.contextualPatterns[context]) {
for (let pattern of this.contextualPatterns[context]) {
if (pattern.test(input)) {
return {
detected: true,
pattern: pattern.toString(),
context: context,
severity: 'medium'
};
}
}
}
// Check for encoding bypasses
const decoded = this.decodeInput(input);
if (decoded !== input) {
return this.detectXSS(decoded, context);
}
return { detected: false };
}
decodeInput(input) {
let decoded = input;
// Multiple decoding passes
for (let i = 0; i < 3; i++) {
try {
decoded = decodeURIComponent(decoded);
decoded = decoded.replace(/\\x([0-9a-f]{2})/gi,
(match, hex) => String.fromCharCode(parseInt(hex, 16)));
decoded = decoded.replace(/\\u([0-9a-f]{4})/gi,
(match, hex) => String.fromCharCode(parseInt(hex, 16)));
} catch (e) {
break;
}
}
return decoded;
}
}