Previously in this series of magento2 security we have discussed magento2 sql injection and learned how we can secure our store. Let’s discuss XSS attack and check how we can secure our magento2 store.
Cross Site Scripting or XSS is a web based application vulnerability occurs when an attacker is able to execute malicious script/code/style in victim’s browser through client-side languages, any source of data can play a role of injection vector like environment variables, input parameters.
Types of XSS vulnerabilities:
- Reflected: when a user clicks on the malicious link code gets delivered to the vulnerable web site, and gets reflected back into the user’s browser.
- Stored: Malicious code is inserted into the application by the attacker and whenever the user visits the site or link attack gets executed.
- DOM-based: This attack does not need to interact with the web server,the attacker forces the user’s browser to execute code by modifying the DOM environment.
A successful magento2 XSS attack can:
- Hijack user session
- Steal cookies
- expose sensitive information
- escalating privileges or can deliver malware.
How to secure your magento2 store against XSS
Check out this webkul security module for quick fix and get your magento2 store audited to prevent XSS , let’s discuss some global techniques:
1.Sanitize data input: Ensure that all the data is filtered and validated at both ends (server and client) before reflecting back to the user. Such as values of search parameters, user details.
Filter out, convert special characters like < , >, /, ?, & to their HTML or URL encoded values.
2. Implement Security Headers: Consider implementing x-xss-protection header it will block pages from loading when they detect potential xss attack.
X-XSS-Protection: 1; mode=block
or consider using Strict-Transport-Security header it will only allow execution of scripts from known, valid resources that are trusted by application.
Although it’s not possible for every store owner to check against such vulnerabilities in their store, in such conditions Webkul can help in detection and in mitigation from vulnerabilities on Magento 2 store through its basic security module which can also be customized.
To safeguard your Magento 2 store from other attacks like malicious file upload or brute force visit our store and check out our Security Extension Suite for Magento 2 module for more details, which is effective in blocking malicious users and in notifying admins for suspected login attempts.