What's your take on eBay's recent cross-site scripting (XSS) vulnerability? Why wasn't it caught? Doesn't a site...
that large have enough gateway security technology to prevent XSS from being exploited regardless?
Cross-site scripting flaws continue to plague websites even though they are a well-known vulnerability, having been around since the 1990s. Most major websites -- including Google, CNN, PayPal and Facebook -- have been affected by XSS vulnerabilities at some point, and XSS always appears in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks.
One reason websites as big as eBay continue to fall prey to XSS attacks is that they are very complex and their webpages are being built on the fly, often pulling in content from other sites. This makes it difficult during testing to execute all possible permutations of user and application interaction, allowing vulnerabilities such as XSS to escape detection.
That said, it is somewhat surprising that eBay doesn't have a more rigorous code vetting process -- several XSS flaws have been found in recent weeks. There are plenty of tools available to test for XSS vulnerabilities so they can be resolved before the code is used on a live website. Developers can also make use of security control libraries -- such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library -- instead of writing their own validation checks. Gateway security technologies such as Web application firewalls can also help to detect and block attacks on XSS vulnerabilities; so yes, it's disappointing that a major site isn't protecting its users more from such a well-known and understood vulnerability.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)
XSS 101: Attacks plague Web browsers
XSS 102: Defending against cross-site scripting attacks
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
The development of WPA3 helps advance Wi-Fi protocol, as the next generation of Wi-Fi-enabled devices begins to demand more. Expert Michael Cobb ... Continue Reading
An increase of IoT botnets has been seen since the Mirai malware source code was leaked. Learn how the new variants pose to be a serious threat to ... Continue Reading
Android Pixel vulnerabilities could open the smartphone up to attack. Expert Michael Cobb explains the vulnerabilities and how to defend against them. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.