Too frequently when businesses think about the dangers presented by hackers, they think exclusively about intrusion. The notion that a hacker will go in and steal data vital business data, or customer information can keep executives and IT managers alike tossing in their sleep. Businesses spend far less time focusing the increasing problem that hackers might attack their customers through their website. This type of attack is known as Cross-Site Scripting. Sites that are vulnerable to Cross-Site Scripting are not PCI compliant.
As discussed in a recent article (http://www.theregister.co.uk/2008/06/13/security_giants_xssed/) even security giants like McAfee, Symantec and Verisign have collectively had at least 30 Cross-Site Scripting vulnerabilities on their websites that exposed their customers to being redirected away from their websites, or potentially having malware installed on their computers.
This white paper will explain how these attacks work and will discuss the difference between Non-Persistent Cross-Site Scripting and the far more dangerous Persistent Cross-Site Scripting variations. We will highlight the challenge presented to Web Application Security Scanners and how only Retina Web Security Scanner (RWSS) solves them.
Can This Happen To Your Business?
If it can happen to those security conscious companies and many others (http://www.xssed.com/), it can happen to your business. Anytime you display user input or content, you must properly encode it or you will be exposed. You may be thinking that you do not display user content, so consider the following questions:
- Does your site have a search form which shows the user what they searched for, or puts that value back into the search field?
- Do you have any type of login page or account system where users can choose their user name, or have any profile such as first and last name?
- Do you have any feedback or support form which is later display to someone internally? (This could expose your internal users to dangerous attacks as well)