What’s Your New Year's Resolution?

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

‍

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

‍

How Does XSS Work?

1. Injection: A malicious user submits code through a website input, like a comment or form.
2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
3. Exploitation:The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:

• Accepting trusted input from the users.  
• After users' input, web pages have the strings embedded without any sanitisation.  
• Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  <script>alert('XSS');</script>  

‍

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

• Copy session tokens through hidden HTTP requests.  
• From attacker-controlled domains, load attacker scripts.  
• Change the DOM structure to show fake login forms for phishing.

‍

Types of XSS Attacks: XSS (Cross-Site Scripting) attacks can occur in three main variations: 

1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

‍

What Makes XSS a Threat?  

‍

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following: 

• Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
• Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
• Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
• Website Vandalism. Modified website material lowers the esteem of the brand.  
• Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  ‍

‍

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

‍‍

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

 Input Validation and Output Encoding:

• Ensure input validation is in place on the client and server.
• Perform output encoding relative to context: HTML: <, >, &.
• JavaScript: Escape quotes and slashes

Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';

Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:

• TextContent for inserting text.
• CreateElement() and other DOM creation methods for structured content.

Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 

Framework Protections: Use the protective features in frameworks such as:

• React, which escapes data embedded in JSX automatically.
• Angular, which uses context-aware sanitisation.

Periodic Security Assessment:

• Use DAST tools to test the security posture of an application.
• Perform thorough penetration testing and security-oriented code reviews.

‍

‍Best Practices for Developers: Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.

• Educate developers on OWASP secure coding guidelines.
• Automate scanning for vulnerabilities in CI/CD pipelines.

‍

‍Conclusion:

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

‍

References

• https://owasp.org/www-community/attacks/xss/
• https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting
• https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting
• https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

‍

‍

Introduction

In the new age of technologies the internet and social media continue to witness a surge in deepfake videos a technological phenomenon that blurs the line between reality and fiction. The string of deepfake videos of Bollywood actors and other famous personalities has raised serious concerns. While Prime Minister Narendra Modi spoke against the risks of artificial intelligence at the G20 Virtual Summit. The central government has recently announced that it will soon set up dedicated regulations to tackle this Menace. This will include holding social media platforms and creators responsible for their actions against the rules and regulations. Very often most people shy away from initiating a legal process or taking action while being victims of misuse of fast-paced tech but the government has announced its big support to the victims and promised to stand by complaints against deepfake videos especially this includes helping individuals to report the incidents and any violations by platforms.

Social media platforms to realign their policies as per the Indian laws

The Ministry of Electronics and Information Technology (MeitY) announced on 24th November 2023 that it will be giving social media platforms seven days time period to align their terms of service and other policies with Indian laws and regulations in order to address the issue of hosting of deepfakes on these platforms. All platforms must align and transform their terms of use with their users to be consistent with the 12 areas that are prohibited under rule 3(1)(b) of the Information Technology (IT) Rules, 2021.

The platforms will ensure harmonization and alignment of their terms & policies so that every user on every platform is aware that when they use a platform the platform intends to be a safe and trusted platform and the platform will not tolerate these 12 types of content or information that have been prohibited under the IT Act and the IT rules. The government approach is to collectively advocate for responsible and safe use of the Internet. The government has taken a proactive step in partnership with these social media platforms to ensure an era where such platforms will be a lot more responsible and a lot more responsive to the expectations under the law and more compliant.

Officer to be appointed under rule 7 

As Deepfake Videos continue to surface on social media, the Government has geared up to curb such content online. Mr. Rajeev Chandrasekhar Minister of State, (Meity), stated that the government will soon appoint an officer to take appropriate action against deepfake videos. This statement came after the government meeting with industry stakeholders and important players held on 24 Nov 2023. He added that Meity and the government of India will nominate an officer under rule 7  (IT rules 2021) and will ensure full compliance expectations from all the platforms. An officer appointed under Rule 7,  will be entrusted with building a mechanism where users can put in their complaints regarding deepfakes and MeitY may also assist such aggrieved users with filing FIRs in such cases. Mr. Rajeev Chandrasekhar, Minister of State, (Meity) also added that we will also be creating a platform where it will be very easy for netizens to bring to the attention of the government of India and notices of allegations or reports of violation of law by the platforms and the rule 7 officer will take that digital platform information and respond accordingly. 

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (updated as on 6.4.2023)

Rule 3(1)(b) states that intermediaries shall inform its rules and regulations, privacy policy and user agreement to the user and shall make reasonable efforts to ‘restrict’ the users from hosting, displaying, uploading, modifying, publishing, transmitting, store, update or sharing any information that is prohibited under this rule which also includes deepfake, misinformation, CSAM(Child sexual abusive material) etc.  As per rule 3(2)(b) Intermediaries shall remove or disable access within 24 hours of receipt of complaints of contents that expose the private areas of individuals, show such individuals in full or partial nudity or in a sexual act or is in the nature of impersonation including morphed images etc. 

Ongoing Efforts Ahead of Crucial Meeting with Tech Giants

Ahead of the government meeting with online platforms such as Google, Facebook, and YouTube on Friday, 24th November 2023, Mr. Rajeev Chandrasekhar Minister of State, (Meity) added that way back from October 2022 the government of India had been alerting them to the threat of misinformation and deepfakes which are part of misinformation. He further added that the current IT rules under the IT Act provide for adequate compliance requirements on their part to deal with deepfake.

Deepfake Misinformation

Misinformation powered by AI becoming an even more potent force to disrupt and to mislead and to create chaos and confusion at a scale and of a type that is deeply detrimental. Deepfakes in a very simple basic way is misinformation which is powered by or enhanced by AI. Video-based deepfake misinformation is more dangerous since it has a greater reach as video consumption today is the preferred choice by users on the internet.

Way forward

The Honorable Prime Minister has raised the issue that deep fakes are deeply disruptive they can create divisions and all kinds of disruptions in communities, in families and therefore misuse of deepfake technology is a very clear present danger to the safe and trusted internet.

The Government is on its way to draft a dedicated legislation dedicated to tackling deepfakes.

Even as we speak to a future regulation and a future law which is certainly required given that our IT Act is 23 years old. However current IT rules provide for compliance requirements by the platforms on misinformation patently false information and deepfakes. Followed by the recent government advisory on misinformation and deepfake.

Conclusion

Prime Minister alerting of the dangers of deepfakes online. The government is now in the process of starting to look very seriously into this issue and also issued guidelines for intermediaries and in a finite period of time it is hoped that the threat of deep fakes would actually no longer exist in in our system. The government made it clear that apart from people spreading deepfake videos, the platforms making them spread and not taking action will also be liable they are currently liable and will be even more so in future after new rules and regulations are brought in.

References:

• https://www.moneycontrol.com/news/technology/deepfakes-meity-gives-social-media-platforms-7-day-ultimatum-to-align-their-policies-to-indian-laws-and-regulations-11805521.html
• https://www.azbpartners.com/bank/amendments-to-the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021/#:~:text=Prior%20to%20the%20amendment%2C%20under%20Rule%203(1)
• https://www.drishtiias.com/daily-updates/daily-news-analysis/amendments-to-the-it-rules-2021
• https://youtu.be/zmI2ml1d_Es?feature=shared
• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1975445

‍

Introduction

On September 27, 2024, the Indian government took a significant step toward enhancing national security by amending business allocation rules through an extraordinary gazette notification. This amendment, which assigns specific roles to different Union Ministries and Departments regarding telecom network security, cybersecurity, and cybercrime, aims to clarify and streamline efforts in these critical areas. With India's evolving cybersecurity landscape, the need for a structured regulatory framework is pressing, as threats grow in complexity. Recent developments, such as the July 2024 global cyber outage and increasing cyber crimes like SMS scams, highlight the urgency of such reforms. Under Article 77 clause (3), the President amended the Government of India (Allocation of Business) Rules, 1961, to designate clearer responsibilities, reinforcing India's readiness to tackle emerging digital threats.

Key Highlights of the Gazette Notification

• Telecom Networks Security: A new entry ‘1A’ matters relating to the security of telecom networks" has been added under the Department of Telecommunications, highlighting an increased focus on securing the nation's telecom infrastructure.
• Cyber Security Responsibilities: Cyber security responsibilities have been added as a new entry under the Ministry of Electronics and Information Technology (MeitY), "5B. This assigns responsibility to MeitY for cybersecurity issues, concerning the Information Technology Act of 2000, giving the ministry the mandate to support other ministries or departments regarding cybersecurity matters.
• Oversight for Cyber Crime: Under the Ministry of Home Affairs, Department of Internal Security, a new entry "36A Matters relating to Cyber Crime" is introduced. This emphasises that the MHA will handle cybercrime issues, highlighting the government's attention toward enhancing internal security against cyber threats.
• Cyber Security Strategic Coordination: Any matter related to the "overall coordination and strategic direction for Cyber Security," has been given to the National Security Council Secretariat (NSCS). This consolidates the role of the NSCS in guiding cybersecurity strategies at the national level.

Impact on Policy and Governance 

The amendments introduced through the notification are poised to significantly enhance the Indian government's cybersecurity framework by clarifying the roles of various ministries. The clear separation of responsibilities, telecom network security to the Department of Telecommunications, cybercrime to the Ministry of Home Affairs, and overall cyber strategy to the National Security Council Secretariat could seen as better coordination between ministries. This clarity is expected to reduce bureaucratic delays, allowing for quicker response times in addressing cyber threats, cybercrimes, and telecom vulnerabilities. Such efficient handling is crucial, especially in the evolving landscape of digital threats. These changes have been largely welcomed as it recognises the potential for improved regulatory oversight and faster policy implementation and a step forward in bolstering India’s cyber resilience. 

Conclusion 

The Government of India (Allocation of Business) Rules, 1961 amendments mark a critical step in strengthening India's cybersecurity framework. By setting out specific responsibilities for telecom network security, cybercrime, and overall cybersecurity strategy among key ministries, the government seeks to improve coordination and reduce bureaucratic delays. This policy shift is poised to enhance India’s digital resilience, providing a foundation for rapid responses to emerging cyber threats. However, success hinges on effective implementation, resource allocation, and collaboration across ministries. Addressing concerns like potential jurisdictional overlap and ensuring the inclusion of bodies like NCIIPC will be pivotal to ensuring comprehensive cyber protection. The complexity of cyber crimes and threats is evolving every day and the government's ability and preparedness to handle them with regulatory insight is a high priority.

References

• https://egazette.gov.in/(S(4r5oclueuwrjypfvr5b4vtzg))/ViewPDF.aspx 
• https://www.ptinews.com/story/national/govt-specifies-roles-on-matters-related-to-security-of-telecom-network-cyber-security-and-cyber-crime/1856627
• https://www.thehindubusinessline.com/economy/centre-to-further-streamline-mechanism-to-deal-with-cyber-security-cyber-crime/article68694330.ece
• https://telecom.economictimes.indiatimes.com/news/policy/govt-specifies-roles-on-matters-related-to-security-of-telecom-network-cyber-security-and-cyber-crime/113754501 

‍