Muvi Blogs

Beyond The Buzz- Latest Insights From Muvi

Please wait while we enable your Account

0%

Contacting Amazon Web Services
Deploying Cloud Servers, Storage, Transcoding & Database Servers
Deploying Global CDN
Deploying Firewall & Enabling Security Measures
Deploying the CMS & Admin Module
Deploying Website, Mobile & TV Apps framework
Creating your FTP account
Finishing up all the modules
Preparing for launch

AWS Rule for XSS Attack 01 February 2021

What is XSS attack?

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

 

What is AWS WAF(Web Application Firewall)?

 AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, or an Application Load Balancer. AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront, or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is block content.                                  

WAF Rule for XSS attack

 The rule that is used to block XSS in AWS WAF is CrossSiteScripting_BODY

If it is enabled, it inspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. 

 What must not be done?

 If this rule is activated, then obviously, we just can’t send HTML data in our request body.

Please check the attached screenshot below, There you can we got a 403 forbidden error from AWS only.

 

How to do this if needed?

 If we have to send any HTML content through the request parameter, we must encode it using any encoding technologies and decode it after reaching our server.

Please find the screenshot attached below. Here we used the Base64 encode mechanism and sent the data to the service.

 

Code snippets for reference.

Frontend: – 

Coding language – Angular

This is just before we send data to the service.

 

Backend: – 

Coding language: – PHP(Lumen Framework)

Here we have decoded the request after getting it on the service end.

 

Don't forget to share this post!


Abhaya Senapati
With an innate love of writing code to solve complex issues, Abhaya has 5+ years of experience in full-stack development and is currently leading the Engineering & Development pod at Muvi.

Latest Posts

Try Muvi One free for 14 days

No Credit Card Required

.muvi.com
Your website will be at https://yourname.muvi.com, you can change this later.

Related Blogs
Get a Free ‘Exclusive’ Visitor Pass for The NAB Show Las Vegas, 2023,with Muvi

Get a Free ‘Exclusive’ Visitor Pass for The NAB Show Las Vegas, 2023,with Muvi

Muvi – the world’s first no-code OTT platform is ready to showcase its powerful features at the NAB Show 2023,...

23 March 2023
The Importance of Security in eLearning Platforms

The Importance of Security in eLearning Platforms

  In recent years, eLearning has become increasingly popular as a means of accessing education and training online. With the...

20 March 2023
Design Stunning VOD Websites & Applications with Muvi Visual Designer at NAB 2023 Las Vegas

Design Stunning VOD Websites & Applications with Muvi Visual Designer at NAB 2023 Las Vegas

  Celebrating 100 years of broadcast media and entertainment innovation, NAB 2023 is just a few days away. The best...

17 March 2023
5 Reasons to Meet Muvi at the NAB Show 2023, Las Vegas

5 Reasons to Meet Muvi at the NAB Show 2023, Las Vegas

  Muvi – the world’s most easy-to-use no-code streaming service provider, is gearing up to showcase its latest features at...

16 March 2023
On Premise Vs Cloud: Which is Best for your Video Business?

On Premise Vs Cloud: Which is Best for your Video Business?

  On premise Vs cloud – in order for us to determine which is best for the video business, first...

13 March 2023




 

Book a Meeting
close-link