Cross-Site Scripting (XSS) Attacks

Cross-Site Scripting (XSS) Attacks

XSS attacks inject malicious scripts into web applications, executing in users' browsers to steal credentials, hijack sessions, or deface websites. Firewalls detect XSS attempts by analyzing request content for script patterns and malicious payloads.

Implement comprehensive XSS detection:

// XSS pattern detection engine
class XSSDetector {
    constructor() {
        this.xssPatterns = [
            // Script tags
            /<script[\s>]/i,
            /<\/script>/i,
            
            // Event handlers
            /\bon\w+\s*=/i,
            
            // JavaScript protocols
            /javascript:/i,
            /vbscript:/i,
            
            // Data URIs with scripts
            /data:.*script/i,
            
            // SVG-based XSS
            /<svg.*onload/i,
            
            // Style-based XSS
            /style\s*=.*expression\s*\(/i,
            
            // Encoded patterns
            /\\x3cscript/i,
            /\\u003cscript/i,
            /%3Cscript/i
        ];
        
        this.contextualPatterns = {
            'html': [
                /<[^>]+>/,
                /&[#\w]+;/
            ],
            'attribute': [
                /['"].*on\w+=/i,
                /javascript:/i
            ],
            'url': [
                /javascript:/i,
                /data:.*base64/i
            ]
        };
    }
    
    detectXSS(input, context = 'html') {
        // Check against general patterns
        for (let pattern of this.xssPatterns) {
            if (pattern.test(input)) {
                return {
                    detected: true,
                    pattern: pattern.toString(),
                    severity: 'high'
                };
            }
        }
        
        // Context-specific checks
        if (this.contextualPatterns[context]) {
            for (let pattern of this.contextualPatterns[context]) {
                if (pattern.test(input)) {
                    return {
                        detected: true,
                        pattern: pattern.toString(),
                        context: context,
                        severity: 'medium'
                    };
                }
            }
        }
        
        // Check for encoding bypasses
        const decoded = this.decodeInput(input);
        if (decoded !== input) {
            return this.detectXSS(decoded, context);
        }
        
        return { detected: false };
    }
    
    decodeInput(input) {
        let decoded = input;
        
        // Multiple decoding passes
        for (let i = 0; i < 3; i++) {
            try {
                decoded = decodeURIComponent(decoded);
                decoded = decoded.replace(/\\x([0-9a-f]{2})/gi, 
                    (match, hex) => String.fromCharCode(parseInt(hex, 16)));
                decoded = decoded.replace(/\\u([0-9a-f]{4})/gi,
                    (match, hex) => String.fromCharCode(parseInt(hex, 16)));
            } catch (e) {
                break;
            }
        }
        
        return decoded;
    }
}