Protecting Websites from Cross-Site Scripting (XSS) Attacks: A Novel Configuration using Pulse Secure^© Pulse Connect Secure^© and Virtual Web Application Firewall (vWAF)

Cross-site scripting (XSS), one of the most prevalent forms of client-side attacks, is when bad actors attempt to access sensitive information from the backend web server and other systems on the backend network. Some XSS attacks attempt to access client-side sensitive information, such as cookies. Web application firewalls (WAFs) are a first line of defense where common Uniform Resource Locator (URL) patterns are analyzed to detect and block known attacks. This paper describes a novel configuration using the Pulse Secure^© Pulse Connect Secure^© (PCS^©) Secure Socket Layer Virtual Private Network software and Virtual Web Application Firewall (vWAF) that protects a website from XSS attacks. This paper also presents novel aspects of the configuration that control the redirection of traffic through the vWAF and provide fine-grained behavioral control at the application level while decoupling the PCS and vWAF configurations. The intended audience for this paper comprises system and site administrators who are familiar with standard web server environments. These configuration details might prove useful during the design of a more secure infrastructure.