Pin Me

Cross Site Scripting Dangers

written by: Steve Mallard•edited by: Bill Bunter•updated: 5/7/2010

XSS (Cross Site Scripting) allows code to injected in a website. This code can give a malicious person access to your data and secure information. Getting updates, using firewalls and analyzing applications that produce webpages helps to prevent Cross Site Scripting.

  • slide 1 of 3

    What is Cross Site Scripting?

    What is Cross Site Scripting? Cross Site Scripting is a sowftware vulnerability in a web application that was developed by someone. This cross site scripting can allow code to be injected by malicious users creating a hidden code that other users may not see. This scripting vulnerability can be used by hackers to bypass security controls and can allow these malicious users to get access to resources they are not authorized to use or see. Through the injection of code (creating false login information) or 'cookie' theft, these malicious users can find critical flaws in the website and misguide other users.

    Cross Site Scripting occurs without the webmaster's knowledge. Many webmasters not only write the code for their website themselves; they can also use applications to build their website.

    With an economy that reaches globally, websites and ecommerce is an important part of even the smallest business. Flaws in a website can allow hackers (malicious users) to gain access to credit cards or personal information that could result in identity theft.

  • slide 2 of 3

    How to Secure Your Website

    With the advancement of applications that allow websites to be built in minutes, comes the dangers of application security issues. Generally when applications are built (to build websites) the webmaster enters the information into the application that generates the website. This website then goes into production and later further Cross Site Scripting vulnerabilities are discovered therefore making it possible for the website to be hacked.

    The developer of the website should always check for updates on software to prevent vulnerabilities. Vulnerabilities develop over time and whatever was developed becomes unsecure. If an update for the software is made available, the webmaster should download and install the update and replicate and replace the production website.

    Most applications have security measures programmed into the application. Having a secure application is only possible during the release of the software. Always remember that software can be released today only to have a security hole within the same day! Patches and updates are important to stop cross site scripting vulnerabilities.

    Webmasters and developers can take a positive stance by deploying an application firewall that controls file execution and how these applications work and interact with website visitors. Many hardware firewalls have DMZs and software / firmware that helps to prevent malicious activity. Firewalls like software need to updated on a regular basis.

    XSS known as Cross Site Scripting involves the injection of code. What Code? This website (Link) gives great examples of the actual code. By studying this code, a webmaster can get a thorough understanding of the code that can be injected. Without viewing this site negatively, it is a great learning tool. This site is referenced on OWASP. Open Source Security Applications can help with protection of websites (See my past article).

  • slide 3 of 3

    Conclusion

    XSS (Cross Site Scripting) allows code to injected in a website. This code can give a malicious person access to your data and secure information. Getting updates, using firewalls and analyzing applications that produce webpages helps to prevent Cross Site Scripting. Running penetration test that includes this vulnerability helps show weaknesses before you are hacked. Penetration tests should be ran frequently with any web application.