July 10, 2017 By David Strom 2 min read

Cross-site scripting (XSS), which occurs when cybercriminals insert malicious code into webpages to steal data or facilitate phishing scams, has been around almost since the dawn of the web itself. Although it is an older exploit, it still appears frequently enough to land on the OWASP Top 10 list.

It has even affected modern websites run by the FBI, the Obama administration, eBay and others. And last year, an ethical hacker breached a Dutch government website within a few days of its launch using a clientside XSS vulnerability.

A Growing Problem

According to WhiteHat Security’s “Web Applications Security Statistics Report 2016,” cross-site scripting accounts for nearly half of all web-based exploits last year. In fact, XSS has represented around 50 percent of website vulnerabilities since 2012.

These vulnerabilities are expected to grow by 166 percent in 2017, which would be the biggest jump in the past five years. If you need further convincing, Snyk reported that the rate of these attacks increased by 39 percent in the first quarter of 2017.

Why does XSS persist? Mainly because it is very easy to do, and opportunities abound. According to Wordfence, “XSS vulnerabilities are incredibly easy to write. If you simply write PHP in a way that feels intuitive, you will almost certainly write an XSS vulnerability into your code.”

XSS Mitigation Techniques

There are a few steps developers can take to prevent XSS. First, validate all your expected inputs. Most websites have numerous injection points, such as search fields, feedback forms, cookies and forums. Basically, anyplace where you are expecting an input can be vulnerable to XSS. Don’t just assume these inputs are coming from a trusted source. Validate using input type, length, format and range at all times within your code.

Second, use META tags and limit your input character sets. If you don’t need an extended character set for your site, exclude them in this fashion. You should also leverage automatic source code scanning tools and web vulnerability scanners to scour for issues. This must occur not just during development, but also periodically after deployment.

A great resource to study is the OWASP XSS Prevention Cheat Sheet. It is chock full of other suggestions for preparing your input and using open source tools. Understanding the threat cross-site scripting poses to all websites, as well as the most effective defensive techniques, can help organizations avoid becoming a victim.

Read the IBM X-Force research report: Beware of older cyber attacks

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today