Cross-site scripting (XSS) is the most common attack targeting application layers, and it’s included in OWASP’s list of the top 10 software security risks. XSS is frequently found in Web-based applications, including browsers. These scripts are executed within the user’s web browser instead of the server.
How XSS works
Client-side scripting languages, such as commonly used HTML and Java Script, are innately weak to XSS. In order for the rich content made possible by Java Script or HTML to function on a PC, there must be some client-side execution. TechRepublic points out that increasing the complexity of any function naturally results in increased vulnerability; the challenge is balancing essential functionality while minimizing vulnerabilities.
Most of these vulnerabilities occur when untrusted data is sent to a Web browser. However, with proper precautions and training, developers can avoid introducing such vulnerabilities to their code in the first place.
These exploits utilize Java Script to execute code on the client side, although the Website used to gain access doesn’t actually have to be utilizing Java Script for this to occur. These scripts can be embedded on a page so that it will execute each time the page is loaded. XSS can allow hackers to obtain sensitive data or tamper with the functionality of a PC by displaying arbitrary data or initiating random commands. In some cases, the attacker can control the victim’s Web browser remotely.
How is XSS executed?
Most frequently, the user is duped into allowing the malicious Script to run. This is typically done using decoys, such as sending a link in an email disguised as something else. The user could think the link is trusted, click it, resulting in successful execution of the code.
Malicious scripts can also be executed within the context of a Web application that displays profiles. For instance, if the user name input field isn’t properly protected, an attacker could input malicious Java Script as a part of his user name. Any time another user views that profile, the script is executed in their browser session.
Veracode’s XSS Security Solution
Because of the nature of XSS, it can bypass traditional security restrictions. Fortunately, XSS is easy to detect and remedy. Veracode offersVeracode Free XSS Detection Service, a tool enabling developers to ensure the security of their applications. Users simply upload a Java application and Veracode pinpoints potential vulnerabilities down to a single line of code. Finally, users receive a report that can be used to ensure customers of the security of an application.
Veracode’s State of Software Security Report, Vol. 2, points out that most security issues can be fixed within an average of 16 days. In these cases, developers who have scanned and discovered flaws have taken steps to remediate those flaws and then rescanned their applications.
In some cases, XSS vulnerabilities are thought of as merely trivial, and in fact, many can be defined as such. But this doesn’t speak to the complexity of actually fixing issues, but rather to the willingness of a business to consider XSS as a viable threat and make efforts to reduce threats in their applications.
By evaluating applications on a case by case basis and narrowing down vulnerabilities to a single line of code, developers can easily detect flaws and quickly identify ways to patch and repair vulnerabilities. Veracode’s Free XSS Detection Service is the first step for any business or developer in producing safe, reliable applications for partners, customers and users.
ABOUT AUTHOR :
Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in the Veracode’s XSS security solutions and other security breaches with effective risk assessment tools