alex_aldo - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

XSS flaws: Why aren't major websites catching XSS vulnerabilities?

Cross-scripting or XSS flaws have been major website vulnerabilities for the past two decades. So why are major sites still falling victim? Expert Michael Cobb explains.

What's your take on eBay's recent cross-site scripting (XSS) vulnerability? Why wasn't it caught? Doesn't a site that large have enough gateway security technology to prevent XSS from being exploited regardless?

Cross-site scripting flaws continue to plague websites even though they are a well-known vulnerability, having been around since the 1990s. Most major websites -- including Google, CNN, PayPal and Facebook -- have been affected by XSS vulnerabilities at some point, and XSS always appears in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks.

XSS attacks are different than most application-layer attacks-- such as SQL injection -- because they attack an application's users, not the application itself or the server. Attacks work by injecting code, usually a client-side script such as JavaScript, into a Web application's content. Most websites have numerous injection points, including search fields, feedback forms, cookies and forums. By exploiting XSS vulnerabilities, hackers can steal data, take control of a user's session, run malicious code, or manipulate what is displayed in the victim's browser.

A website such as eBay is based almost entirely on user-generated content and includes active content like JavaScript and Flash in users' item descriptions. Because the site has to be interactive and accept and return data from users, it means attackers too can interact directly with the site, bypassing traditional perimeter security defenses. Unless all user-supplied content is rigorously checked, XSS attack code can be injected into an auction listing page, and its payload will affect every user who visits that particular listing. All data received from users (form data, cookies, emails, files, images and so on) has to be assumed untrusted and needs to be validated and input cleaned of characters or strings that could be used maliciously before passing it on to scripts and databases.

One reason websites as big as eBay continue to fall prey to XSS attacks is that they are very complex and their webpages are being built on the fly, often pulling in content from other sites. This makes it difficult during testing to execute all possible permutations of user and application interaction, allowing vulnerabilities such as XSS to escape detection.

That said, it is somewhat surprising that eBay doesn't have a more rigorous code vetting process -- several XSS flaws have been found in recent weeks. There are plenty of tools available to test for XSS vulnerabilities so they can be resolved before the code is used on a live website. Developers can also make use of security control libraries -- such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library -- instead of writing their own validation checks. Gateway security technologies such as Web application firewalls can also help to detect and block attacks on XSS vulnerabilities; so yes, it's disappointing that a major site isn't protecting its users more from such a well-known and understood vulnerability.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)

Next Steps

XSS 101: Attacks plague Web browsers

XSS 102: Defending against cross-site scripting attacks

This was last published in November 2014

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why do you think eBay isn't catching these XSS flaws? Should a big company like this be doing more to keep its users safe?
That's the question all of these big organizations should be asking themselves. With most of these companies on high-alert due to these data breaches, I think we'll see eBay (and others) focus more on these flaws. 
Given how simple it is to find (and fix) cross site scripting flaws in the software development lifecycle, there's really no logical excuse. I suspect it's application complexity and lack of internal resources - the bane of most security programs.