Cross-site scripting (XSS), which occurs when cybercriminals insert malicious code into webpages to steal data or facilitate phishing scams, has been around almost since the dawn of the web itself. Although it is an older exploit, it still appears frequently enough to land on the OWASP Top 10 list.

It has even affected modern websites run by the FBI, the Obama administration, eBay and others. And last year, an ethical hacker breached a Dutch government website within a few days of its launch using a clientside XSS vulnerability.

A Growing Problem

According to WhiteHat Security’s “Web Applications Security Statistics Report 2016,” cross-site scripting accounts for nearly half of all web-based exploits last year. In fact, XSS has represented around 50 percent of website vulnerabilities since 2012.

These vulnerabilities are expected to grow by 166 percent in 2017, which would be the biggest jump in the past five years. If you need further convincing, Snyk reported that the rate of these attacks increased by 39 percent in the first quarter of 2017.

Why does XSS persist? Mainly because it is very easy to do, and opportunities abound. According to Wordfence, “XSS vulnerabilities are incredibly easy to write. If you simply write PHP in a way that feels intuitive, you will almost certainly write an XSS vulnerability into your code.”

XSS Mitigation Techniques

There are a few steps developers can take to prevent XSS. First, validate all your expected inputs. Most websites have numerous injection points, such as search fields, feedback forms, cookies and forums. Basically, anyplace where you are expecting an input can be vulnerable to XSS. Don’t just assume these inputs are coming from a trusted source. Validate using input type, length, format and range at all times within your code.

Second, use META tags and limit your input character sets. If you don’t need an extended character set for your site, exclude them in this fashion. You should also leverage automatic source code scanning tools and web vulnerability scanners to scour for issues. This must occur not just during development, but also periodically after deployment.

A great resource to study is the OWASP XSS Prevention Cheat Sheet. It is chock full of other suggestions for preparing your input and using open source tools. Understanding the threat cross-site scripting poses to all websites, as well as the most effective defensive techniques, can help organizations avoid becoming a victim.

Read the IBM X-Force research report: Beware of older cyber attacks

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…