XSS is a large problem

By Ken Munro on Feb 28, 2007 2:27 PM
Filed under Applications

Seen as an end-user issue, cross-site scripting has been ignored for too long. Now attacks are on the rise.

Cross-site scripting (XSS) is one of the most rapidly evolving web application vulnerabilities. At the time of writing, a search for "XSS" on the common vulnerability and exposures database lists around 2,750 separate vulnerabilities.

The main reason for this is that it is often overlooked and underestimated by application developers. During penetration tests over the past year, we found that more than 80 per cent of web applications were vulnerable to XSS.

XSS can be defined as the execution of arbitrary client-side code (typically JavaScript/HTML), which has been injected by an attacker onto a web page. It exists wherever input from a user has been accepted and is echoed to an HTML page without being encoded.

Consider a typical website search using a URL-passed parameter query. A simple test is to enter a dynamic HTML into an input form. You should only do this against your own site.

Try submitting into the search form, with the <> signs. In many cases, there are "no search results", but you will see "0 search results" scrolling from right to left across the screen. This would indicate that the page was vulnerable to XSS as one has successfully injected an HTML tag into the results page. 

You must be a registered member to access this content.
Please Sign in below or Register now.
NOTE: This Feature is more than 7 days old.
Please login to view the rest of this article

Registered users may log in here.

Login or Register now and get unlimited access.


Why sign up?
  • Unlimited access to SC Magazine content as well as access to to our global resources from SC Magazine US and UK editions.
  • Full use of over 11,000 articles database covering breaking news, video interviews, case studies, research, product reviews and exclusive features with fast and intuitive filtering of results.
  • Personalised "Recommended for you" filters to ensure you have the most relevant content at your finger tips.
  • Daily security bulletin direct to your inbox covering the latest security news from Australia/NZ and around the world.

Register now, its free! We'll never sell your details to third parties and it helps SC Magazine to keep serving you quality stories.
Sign up to receive SC Magazine email newsletters
   FOLLOW US...
Most Read