Preventing cross-site scripting (XSS) attacks

cloud trust and security
Reading Time: 2 minutes

Cross-site scripting (XSS) is a type of security vulnerability found in web-applications. Atlassian Cloud apps are web-apps and are not immune.

Earlier this year we did some analysis of Marketplace app vulnerabilities reported via the Atlassian bug bounty program. We discovered XSS attacks were the most commonly reported vulnerability to our bug bounty program. As a result we’ve put together a guide to help you prevent XSS attacks for customers using your Atlassian cloud apps.

What are cross-site scripting (XSS) attacks?

XSS attacks can expose session tokens held by app users, or other sensitive information retained by the browser and used within the affected site. They might also redirect their target user to web content controlled by an attacker, or cause a user to unintentionally make a malicious call to an API, allowing an attacker to obtain sensitive information.

XSS attacks often take the form of Javascript. They could also be HTML – or any other code the browser could execute.

To investigate XSS attacks, and understand what was possible within Atlassian products, we created a sample connect app with an XSS vulnerability in Glitch. We were able to execute malicious code that called a Jira API and accessed user data.

You can view my app on Glitch here, and test various strategies to prevent it.

What can I do to ensure my app is secure?

A successful XSS attack occurs when an attacker is able to insert and execute malicious content into a webpage. To ensure your app users are protected from XSS vulnerabilities, every user input in your app needs to be validated, and escaped or sanitised.

Modern frameworks automatically sanitise inputs, but it's possible to circumvent this. One of the best ways to ensure your app is secure from XSS attacks is to perform an audit of all user inputs. An audit of user inputs will determine what makes its way to HTML output without being validated or encoded. There are a variety of free and paid tools to help manage this, including OWASP Zap and Burp Suite. For a full list of tools and capabilities, see Free for Open Source Application Security Tools and Vulnerability Scanning Tools.

We've also put together a helpful guide on preventing XSS attacks in Atlassian Cloud apps. In the guide, you can learn more about:

  • the different types of XSS attacks,
  • how they relate to each Atlassian Cloud platform, and
  • how to ensure your app is secure from XSS attack.