OWASP Top Ten Web Application Vulnerabilities: #2: Cross-Site Scripting

Cross-site scripting, also referred to as XSS, is the most common web application security vulnerability. XSS vulnerabilities can result from anyone that is able to send untrusted data into your stem – this includes external and internal users and administrators. XSS vulnerabilities may exist in your code when your application doesn’t properly validate data sent by a user to a browser. Improper invalidation of user content allows attackers to send a text-based attack script to exploit the browser’s interpreter. Browser side e interpreters include JavaScript, ActiveX, Flash and Silverlight, among others.

An attacker can steal or hijack a user’s session by executing scripts in the victim’s web browser. Attackers cause the victim’s session ID to be sent to the attacker’s web site, thus letting them hijack the victims’ session. Hackers can also insert negative content, deface your web site or redirect users to malicious sites.

One of the best things you can do to avoid falling prey to XSS is to ensure that you validate all user input sent to the browser. If you encode output properly, user input is treated as text instead of active content that can be executed. You should use data escaping techniques to escape all untrusted data based on their HTML context. If the applications user interface framework doesn’t do this for you, the developers must include the escaping logic in their code. Your application may need to accept special characters, so a positive or white list form of input validation is not always effective. Your application must be able to decode encoded input and validate the data before accepting it

You can detect XSS flaws through performing a vulnerability test through an automated tool or by analyzing your code. Note that it’s not easy to detect XSS flaws in Web 2.0 technologies.

One thought on “OWASP Top Ten Web Application Vulnerabilities: #2: Cross-Site Scripting

Leave a Comment

Your email address will not be published. Required fields are marked *