P { margin-bottom: 0.08in; direction: ltr; color: rgb(0, 0, 0); widows: 2; orphans: 2; }A:link { color: rgb(0, 0, 255); }
Cross
scripting (XSS) vulnerabilities leave your database open to
exploitation. Once I hacker has gained entry they can add
information, remove information or download that information for
their own use. Companies need to audit their web applications in
order to make sure that their data is invulnerable to XSS. Six ways
that your data may be vulnerable include: cookies, and SSL
connection, forums, user issues, special characters and limited
security.
Cookies
In
terms of online activity, cookies
are not a treat. Their purpose is to help users access information
that they once viewed on a website. It also helps the owner of the
website with analytics. Hackers also love cookies, however and the
way they use them as to help gain access into a website or into a
personal computer.
Personal
computer security tips include routinely cleaning out cookies. Users
can even create a setting that does not allow third-party cookies
when they surf online. Many users do not follow these security tips
and when they don’t it allows for Issues for both the surfer and
the commercial site they visit.
SSL
Connection
Users
and businesses both believe that if information is viewed through an
SSL connection they are safe from attack. This is not true in terms
of XSS vulnerabilities. The code that is being used is only
exploiting a vulnerability that already exists. Just like firewalls
cannot protect from certain hacker attacks, you can’t rely on an
SSL connection to protect you from Cross scripting vulnerabilities.
Forums
When
the company allows users to enter information directly into a
database or add information to a forum they are leaving themselves
open for a possible Cross scripting attack. Once a hacker is in a
forum and is entered information they then can start entering code
that will exploit any existing vulnerabilities and allow them to gain
access to the inner workings of the website.
User
Issues
The
way that a user inputs information can leave commercial websites and
web applications vulnerable. One way that user input can allow
hackers access to web applications is when they request a lost
username or password. If the company does not have proper safety
protocols in place to verify the authenticity of the request, then a
hacker can game the information they need to enter a website.
This
is because users are often not careful in terms of creating usernames
and passwords. If the hacker can gain access to one, then they can
make a request from the company website to obtain the other. Users
also do not often have proper security software on their computing
devices. If a hacker has been able to gain access to the individual’s
computer they may be able to either obtain usernames and passwords
for specific sites or no the sites that they visit and how they gain
access.
Special
Characters
Some
companies try to eliminate the ability of hackers to guess passwords
or usernames by allowing special characters. While this can make a password more complex, it can
leave a company’s data vulnerable to XSS attacks. If a company is
going to use special characters to help end-users create usernames or
passwords, there should be special parameters in place to help make
the company’s web applications less vulnerable.
Limited
Security
Another
way your data may be vulnerable to XSS is due to lack security
measures. If your company does not audit
your web applications and e-commerce sites for potential
vulnerabilities you may not be aware of problems that already exist.
If your company has limited security or does not have a routine in
place for monitoring and protecting online applications, then you may
be vulnerable to an attack and not be aware that it has occurred.
Your
company needs to create and maintain a strict security schedule in
order to protect data from Cross scripting and other attacks. Limit
the use of cookies, don’t rely on an SSL connection and make sure
that the use of forums does not expose the company to unnecessary
risk. Limit special characters and create routine audits of rope
applications to help protect your company’s data as well as to find
and eliminate any potential XSS vulnerabilities.
Author
Bio:
Fergal
Glynn is the Director of Product Marketing at Veracode, an
award-winning application security company specializing in secure
SDLC, prevent XSS with Veracode.com,
and other security breaches with effective risk assessment tools
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.
