Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 213: HOW TO AVOID CROSS-SITE SCRIPTING (XSS)
Reference Number ACG-CSB 071821213
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Unfortunately, there's a slight hitch if you use Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert(). As these are used to construct some of the more advanced XSS attacks, you'll sometimes need to use an alternative PoC payload. In this scenario, we recommend the print() function. If you're interested in learning more about this change and why we like print(), check out our blog post on the subject.
As the simulated victim in our labs uses Chrome, we've amended the affected labs so that they can also be solved using print(). We've indicated this in the instructions wherever relevant.
All PNP personnel as well as the public are advised to follow the tips to avoid the CROSS-SITE SCRPTING (XSS):
- Keep software updated - Cybercriminals and developers are in a constant arms race, with the former hunting tirelessly for vulnerabilities and the latter working to patch them. If you aren’t judicious about updating software or applications, you give cybercriminals the chance to take advantage of any known vulnerabilities.
- Sanitize Input Fields - Making financial transactions on an unsecured public Wi-Fi networkis an easy way to give your personal information to prospective hackers. Because public Wi-Fi is open to anyone, they will often insert themselves in between you and the internet in order to capture the sensitive data you're sending. Always make sure you use cash apps on a secure, password-protected network.
- Use a web application firewall- As cyberattacks become more advanced and prevalent, a good best practice is to use a WAF that can filter bad bots and other malicious threats away from your website. Think of a WAF as the gatekeeper to your website, preventing cross-site scripting attacks before they’re executed. When shopping for a WAF, look for a provider that protects against the latest andthe most common types of attacks.
For additional information, please refer to the following websites:
POINT OF CONTACT