Number three on the 2013 Open Web Application Security Project (OWASP) Top 10 most critical web application security risks is Cross-Site Scripting (XSS), which moved down the list from the number two spot in 2010 and the top position in 2007.  It started on the original Top 10 list in 2004 at number four.

According to the This statistic alone demonstrates the need for organizations to clearly understand XSS flaws, what they are, how to detect them and their business impact.

What is Cross Site Scripting (XSS)

XSS attacks are a type of injection that occurs when malicious attackers inject text-based scripts into dynamic content, and that malicious code is then sent to an unsuspected user through a web browser.  This untrusted data is sent to the website without being properly validated and can result in serious consequences for a business.  Even basic websites that simply serve as company brochures and don’t handle transactions are not immune to XSS flaws.

The attacker can be an internal or external user as well as an administrator that has the ability to send untrusted data to the interpreter in the web browser.  The two main types of XSS flaws are stored and reflected.

In the case of stored XSS flaws, the malicious scripts are permanently stored on the target servers such as databases, message forums, visitor logs, comment fields and more.  The malicious script is retrieved by the innocent end user when he/she requests the data from the stored server.

Reflected XSS attacks occur when the malicious script is embedded in the HTTP response of a web page.  This can include error messages, search results and others that are sent to the end-user via an email or another website where they may click on a link, submit a form or visit a malicious site.  The script is then sent to the vulnerable website reflecting the attack back to the user’s browser.

XSS Vulnerabilities

XSS vulnerabilities can cause a variety of issues, including hijacking user sessions, defacing websites, redirecting visitors to malicious sites, inserting hostile content, hijacking the user’s browser using malware, and so on.  These security threats can negatively impact the business depending on what system and data is actually affected.  An exploited customer-facing application may have a greater impact on a business than one that is used for internal functions because….

These injection flaws can be challenging to detect.  Automated tools can be used to identify some XSS problems however, with every application’s output page being slightly different and using a variety of browser-side interpreters, automated detection can be difficult.  The best approach is to use a variety of testing methodologies, including manual code review and penetration testing. Automated methods such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) is the next step to test the security of the software. Code Dx automates these kinds of tests and collates all of the results in one centralized console which is an extremely new capability within the testing market. By using Code Dx, the time needed to appropriately test software can be significantly simplified and save a tremendous amount of time for today’s organizations.