How to prevent cross-site scripting

BROWSE BY TAG Application and Platform Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   Expert Archive: Information Security Threats,   VIEW ALL TAGS

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Ed Skoudis, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED June 2006:
Cross-site scripting (XSS) involves a Web site (such as a bank or e-commerce site) that collects user input and displays it verbatim back to the user without any filtering. An attacker can create Web content to access such a site, supply user input that includes a browser script and then trick the user into viewing the site with that content. For example, an attacker could send a victim an email with a legitimate URL that points to the site and provides it with a browser script as input. The attacker could also post a link in a news group or other third-party site, or post content on a site that allows third parties to upload information, such as a social networking site, Web mail provider, blogging site, etc. When a victim user goes to the site, the malicious content, including the script, goes back to the browser and runs there. The browser, unaware that the script is malicious, runs the program, and inadvertently allows the attacker's script to access any functionality of that site. It could steal cookies and send them to the attacker, or engage in transactions as the victim user. So, an e-commerce site that does not filter user input to remove potentially dangerous characters associated with browser scripts, is particularly vulnerable to XSS attacks.

How do you protect Web sites against cross-site scripting attacks? Web developers can implement filtering code for all user input to remove potentially noxious characters, or convert them to something that a browser will not run (for example, > and < can be converted to > and < respectively. CodeIgniter includes free PHP filtering code to prevent XSS and other kinds of attacks. To learn more about CodeIgniter, visit http://www.codeigniter.com.

Web users can protect against these attacks by disabling scripting in their browser, but this causes many Web sites to not function at all, or have severely limited use. Users can also configure a trusted zone in their browser to allow scripts only from sites they know are very unlikely to have XSS flaws. But, implementing such a solution is difficult. Also, avoid clicking on links in emails, newsgroup postings and third-party sites. Instead, only login to such sites directly, by typing their URL right in your browser or surfing there from a short cut. Although it's a good defensive principle, even that approach can be cumbersome. In the end, users typically depend on trusting that the Web sites they access will filter user input.

MORE INFORMATION: