What's your take on eBay's recent cross-site scripting (XSS) vulnerability? Why wasn't it caught? Doesn't a site...
that large have enough gateway security technology to prevent XSS from being exploited regardless?
Cross-site scripting flaws continue to plague websites even though they are a well-known vulnerability, having been around since the 1990s. Most major websites -- including Google, CNN, PayPal and Facebook -- have been affected by XSS vulnerabilities at some point, and XSS always appears in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks.
One reason websites as big as eBay continue to fall prey to XSS attacks is that they are very complex and their webpages are being built on the fly, often pulling in content from other sites. This makes it difficult during testing to execute all possible permutations of user and application interaction, allowing vulnerabilities such as XSS to escape detection.
That said, it is somewhat surprising that eBay doesn't have a more rigorous code vetting process -- several XSS flaws have been found in recent weeks. There are plenty of tools available to test for XSS vulnerabilities so they can be resolved before the code is used on a live website. Developers can also make use of security control libraries -- such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library -- instead of writing their own validation checks. Gateway security technologies such as Web application firewalls can also help to detect and block attacks on XSS vulnerabilities; so yes, it's disappointing that a major site isn't protecting its users more from such a well-known and understood vulnerability.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)
XSS 101: Attacks plague Web browsers
XSS 102: Defending against cross-site scripting attacks
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Malicious apps collected Facebook user data through Facebook APIs. Expert Michael Cobb explains how social networking platforms can monitor ... Continue Reading
The UPnP protocol is being misused to distribute malware through home routers. Expert Michael Cobb explains the UPnP vulnerability and how to defend ... Continue Reading
SDKs made user data susceptible to security vulnerabilities in mobile apps. Expert Michael Cobb explains how this security vulnerability put user ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.