alex_aldo - Fotolia
What's your take on eBay's recent cross-site scripting (XSS) vulnerability? Why wasn't it caught? Doesn't a site that large have enough gateway security technology to prevent XSS from being exploited regardless?
Cross-site scripting flaws continue to plague websites even though they are a well-known vulnerability, having been around since the 1990s. Most major websites -- including Google, CNN, PayPal and Facebook -- have been affected by XSS vulnerabilities at some point, and XSS always appears in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks.
One reason websites as big as eBay continue to fall prey to XSS attacks is that they are very complex and their webpages are being built on the fly, often pulling in content from other sites. This makes it difficult during testing to execute all possible permutations of user and application interaction, allowing vulnerabilities such as XSS to escape detection.
That said, it is somewhat surprising that eBay doesn't have a more rigorous code vetting process -- several XSS flaws have been found in recent weeks. There are plenty of tools available to test for XSS vulnerabilities so they can be resolved before the code is used on a live website. Developers can also make use of security control libraries -- such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library -- instead of writing their own validation checks. Gateway security technologies such as Web application firewalls can also help to detect and block attacks on XSS vulnerabilities; so yes, it's disappointing that a major site isn't protecting its users more from such a well-known and understood vulnerability.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)
XSS 101: Attacks plague Web browsers
XSS 102: Defending against cross-site scripting attacks
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
Hackers can imitate the design and domain name of popular sites like Netflix to steal credentials. Expert Michael Cobb explains how these Netflix ... Continue Reading
Hackers use legitimate admin tools to exfiltrate data in living off the land attacks that are hard to detect. Learn about this cyberattack tactic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.