How to monitor XSS attacks and other security threats on your website, in real-time

Website holesCross-site scripting (XSS) is a form of exploit where an attacker somehow places malicious JavaScript into a webpage.

It can potentially allow the attacker to gain access to your account, steal sensitive information or attempt to infect your machine with other malicious software.

eBay suffered from an XSS attack in late 2014 that directed victims to a phishing page that tried to steal eBay usernames and passwords. You can watch a video Graham made about that attack here.

If eBay users had entered their details into the page, the attacker would have received the victim's username and password and been able to access their account.

Similarly, you can defend against ad-injectors and straight up malvertising by preventing other resources like images from being loaded into your webpages.

One way to mitigate against attacks such as this on your website would be to use a feature of web browsers known as Content Security Policy (CSP). CSP with violation reporting could alert you that an attack is taking place.

So, what is CSP? Well, CSP is a browser feature that means you can define a whitelist of sources that any type of content on your pages can be loaded from. By defining a valid list of sources for JavaScript for example, a site can effectively combat cross-site scripting (XSS) attacks by blocking malicious script.

Report URIWith that in mind, I've just launched a brand new, free service over at https://report-uri.io for violation reporting of CSP and HTTP Public Key Pinning (HPKP) - another feature incorporated into browsers.

HTTP Public Key Pinning allows a host to define a whitelist of cryptographic identities that the browser should trust for the site going forwards. You provide a valid list of fingerprints for certificates the browser should accept, and any other certificates, even if they are valid, will be rejected. This will protect your visitors from man-in-the-middle attacks in the event a Certificate Authority is compromised and a rogue certificate is issued for your domain.

Deployed via a HTTP response header, CSP and HPKP can be setup with relative ease but can be quite difficult to report on.

Both CSP and HPKP greatly improve the security of your site for your visitors and any compliant browser will enforce the policies. The problem is that without reporting, you don't know when the policies are being enforced. If you suffer an XSS attack, the CSP will force the browser to take action and block it, but without knowing about it, the host can't work to fix the issue.

This means that the XSS threat will remain and visitors without a CSP-compliant browser will fall victim to the attack.

Report URIWith violation reporting provided by https://report-uri.io you can view the violations as they occur on your site in real-time. As soon as a security threat is detected, you can begin investigating. Alongside this the service provides powerful reporting to let you identify your most frequent issues, view historic reports and track your violation counts to monitor progress on fixes or identify upward trends.

I built the service for a few different reasons but there was one main driver for me, to promote the use of CSP and HPKP. As powerful as these security policies are, their presence on the web is minimal. By drawing attention to them and making the difficult task of reporting much easier, I hope to have a positive impact on their use by removing some of the barriers to deployment.

In addition to this I enjoy keeping up to date on the latest and greatest technologies on my own personal blog. Building the site presented a great opportunity for me to get to grips with and really understand some new technologies whilst providing a public service. It was an all-round winner really and I've thoroughly enjoyed the road to get here.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

3 Responses

  1. Coyote

    May 26, 2015 at 11:49 pm #

    "As powerful as these security policies are, their presence on the web is minimal."

    "By drawing attention to them and making the difficult task of reporting much easier, I hope to have a positive impact on their use by removing some of the barriers to deployment."

    Well the two go together so I think your goal is already progressing as much as it can (which is to say is a success[1]). Indeed there's not enough awareness but you're doing what you set out to do – the only improvement is the one that we can only hope is happening: more people become more aware. There's no such thing as perfect; this is why the projects that improve, grow, etc. are the projects that are success in their own right. As such, your project is a success in that way and hopefully more discover your work.

    [1] Although it should be obvious from my elaboration, it means as such as a continuing success (as far as I am concerned that's the only kind of success for projects like these – i.e. those that can be improved should be continually improving).

  2. Sherry

    May 27, 2015 at 7:39 pm #

    This is great. Any chance you can develop a WordPress plugin for utilizing this? Thanks.

    • Scott in reply to Sherry.

      May 28, 2015 at 5:09 pm #

      Excellent idea, I will look into it. Thanks!

Leave a Reply