Have you been XSSed?

In his recent article on XSS vulnerabilities, Brian Krebs of the Washington Post reports that last year thousands of Web sites were cited for harboring security flaws that could be used to attack others online.

“At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user usually from something like a search box or e-mail form but do not prevent users from entering malicious code or other instructions.”

XSSed.com, a site which catalogs XSS flaws on the web, has found more than 13,000 Web pages that hosted XSS vulnerabilities. The XSSed project was created in early February 2007 by Kevin Fernandez and Dimitris Pagkalos. It provides information on all things related to cross-site scripting vulnerabilities and is the largest online archive of XSS vulnerable websites.

“XSS flaws are some of the most common Web site vulnerabilities, but they are also usually fairly simple to fix. If your site is listed on xssed.com, or you’d simply like to know more about how to make sure your site isn’t contributing to the problem, check out this primer from the Open Web Applications Security Project (OWASP). While you’re there, you might want to take a look at some of the other best-practices documents they have available.”

XSS relies on trust. Blindly trusting user input and posting it back to a site, particularly if it includes HTML or JavaScript, is a certain recipe for trouble. If you have access to your Web application code make sure you sanitize all inputs for malicious script based payload. If you don’t have access to code or need an extra layer to make sure nothing can get through, then a Web Application Firewall such as one of the ServerDefender family is in order.

Shannon @ Port80

{follow us on Twitter @port80software.com}