XSS Protection (Cross-Site Scripting)

XSS (Cross-Site Scripting) Protection regroupe les défenses contre les attaques d'injection JavaScript dans pages web victimes. XSS est dans le top OWASP depuis toujours — permet à attaquant d'exécuter JS dans navigateur victime sous l'origine du site légitime, volant cookies/sessions, défaçant pages, redirigeant vers phishing.

Trois types XSS :
(1) **Reflected XSS** — payload dans URL/form, server reflect dans response sans escape.
(2) **Stored XSS** — payload persisté en DB (commentaire, profile), affiché à autres users.
(3) **DOM-based XSS** — JS manipulating DOM unsafely with user input (location.hash, etc.).

Défenses :
(1) **Output encoding context-aware** — encode HTML entities (`<`→`&lt;`, `>`→`&gt;`, `&`→`&amp;`, `"`→`&quot;`, `'`→`&#x27;`) dans HTML context ; JS encoding dans JS context ; URL encoding dans href/src ; CSS encoding dans style. **Most important defense.**
(2) **Template engines safe by default** — modern frameworks (React JSX, Vue, Angular, Svelte) auto-escape by default. Avoid `dangerouslySetInnerHTML` (React) ou `v-html` (Vue) on user input.
(3) **Sanitization libraries** — when must allow rich HTML (rich text editor) : DOMPurify (JS, leader), bleach (Python), HTML Purifier (PHP), OWASP Java HTML Sanitizer. Whitelist allowed tags/attributes.
(4) **CSP** (Content Security Policy) — defense in depth blocks inline scripts, restricts script sources.
(5) **HttpOnly cookies** — JS cannot access (mitigate session theft).
(6) **SameSite cookies** — prevent CSRF (XSS related).
(7) **Input validation** — whitelist allowed input format (less reliable than output encoding, but useful for type validation).
(8) **Trusted Types API** (Chrome, experimental) — strict DOM XSS prevention.
(9) **X-XSS-Protection header** — deprecated (CSP supersedes), browsers heuristics removed.

Frameworks et tools :
- **React, Vue, Angular** — escape by default in templates.
- **Django, Flask, Rails** — escape by default in templates.
- **DOMPurify** — sanitize HTML user input (Markdown rendering, rich text).
- **Marked, micromark** — Markdown parsers (configure to disable raw HTML).
- **Burp Suite, OWASP ZAP** — pentest tools find XSS.
- **Semgrep, CodeQL** — SAST scan code for XSS patterns.

Real-world XSS impact : Twitter worm 2010 (Mikeyy), MySpace Samy worm 2005, eBay 2014 stored XSS major incident. Compétences OSCP, Security+, CISSP, OWASP Top 10.