To understand the fundamental concepts of output encoding.
To understand the basic defensive practice skills against malicious injection in mobile software development.
Output Encoding
Another form of data sanitization is output encoding. Output encoding is a defensive programming technique that is utilized to primarily to defend against cross-site scripting attacks. Cross-site scripting attacks are variant of malicious attacks that hackers utilize to take advantage of vulnerabilities in web applications, allowing them to inject malicious code, which in turn can run malicious scripts, unbeknownst to the end user. This can result in the hackers obtaining possibly the sensitive information of the unsuspecting end user.
Output encoding can be utilized to protect against these cross-site scripting attacks. Output encoding functions by converting all untrusted input into a safe form where the untrusted input can be displayed as data to the end user, but not be executed as code. One technique that can be utilized in implementing output encoding is HTML encoding. Malicious scripts can be stored in a database and not be executed until they are retrieved by the end user. This kind of incubated attack can sit dormant for extended periods of time, until the end user views a web page that the malicious script was injected into. When this occurs, the incubating script will activate and then execute. Such scripts, that take advantage of HTML security vulnerabilities, can be prevented from ever executing by implementing HTML encoding. HTML encoding functions by taking variable output and encoding them, by replacing certain special characters, such as < and >, with a set of pre-defined alternative representations called entities, such as < and %gt;. After end user’s web browser encounters these entities, it will convert the encoded variable output back into the original HTML and print it on the end user’s screen, however, the script will not be run.
For example, if a malicious attacker created the script, as shown below, and no HTML encoding was implemented, the malicious attacker would have been successful in their cross-site scripting attack.
Example of Malicious Script
However, if HTML encoding was implemented, the malicious script would be encoded, as shown below, resulting in the script not executing as code, only displayed as data.
Example of HTML Encoding
<script>alert(“You have been attacked!”)</script>
<script>alert("you are attacked")</script>