alex_aldo - Fotolia
What's your take on eBay's recent cross-site scripting (XSS) vulnerability? Why wasn't it caught? Doesn't a site that large have enough gateway security technology to prevent XSS from being exploited regardless?
Cross-site scripting flaws continue to plague websites even though they are a well-known vulnerability, having been around since the 1990s. Most major websites -- including Google, CNN, PayPal and Facebook -- have been affected by XSS vulnerabilities at some point, and XSS always appears in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks.
One reason websites as big as eBay continue to fall prey to XSS attacks is that they are very complex and their webpages are being built on the fly, often pulling in content from other sites. This makes it difficult during testing to execute all possible permutations of user and application interaction, allowing vulnerabilities such as XSS to escape detection.
That said, it is somewhat surprising that eBay doesn't have a more rigorous code vetting process -- several XSS flaws have been found in recent weeks. There are plenty of tools available to test for XSS vulnerabilities so they can be resolved before the code is used on a live website. Developers can also make use of security control libraries -- such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library -- instead of writing their own validation checks. Gateway security technologies such as Web application firewalls can also help to detect and block attacks on XSS vulnerabilities; so yes, it's disappointing that a major site isn't protecting its users more from such a well-known and understood vulnerability.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)
XSS 101: Attacks plague Web browsers
XSS 102: Defending against cross-site scripting attacks
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.