Finding cross-site scripting (XSS) application flaws checklist

Cross-site scripting (XSS) is like weak passwords: the problem is widespread; the solution is relatively simple and yet the issue appears to be getting worse.

I remember when XSS was this mysterious Web flaw that no one could really explain. We knew it was something bad but it was hard to put a finger on it. A decade later, XSS plagues the Internet. Everything from basic Web sites to social media systems to e-commerce applications seem to have XSS flaws in some form. Numerous studies have shown that XSS makes up the majority of Internet-related vulnerabilities.

Over the past year, I've found XSS in all but about five percent of the Web sites and applications I've tested. This is a big deal when you factor in the ease of accessibility and exploitation, especially via phishing-related attacks.

Here's what you can do right now to seek out and ultimately eliminate XSS vulnerabilities in your environment.

1. Understand the vulnerability so you'll know what you're up against and what to look for. As with weak passwords, XSS is actually pretty basic.
   
   
2. Assemble your toolset. XSS is something that can turn up on any Web form or input area on your site or application. It's unreasonable to assume you're going to be able to find all of the input areas and throw every possible iteration of XSS at them. You have to have a good Web vulnerability scanner such as HP's WebInspect or Acunetix Web Vulnerability Scanner, just to name a couple. Based on my experience, you're not going to find many XSS flaws, if any, if you're not using a dedicated Web vulnerability scanner and are just using a more generic vulnerability scanner that touts Web capabilities often in the name of PCI DSS scans.
   
   
3. Scan your systems as an untrusted outsider. I see a lot of XSS in Web applications behind authentication mechanisms. This no doubt highlights input validation issues but it's less of a concern given that the required login can stop the automated aspect of XSS attacks. However, this is changing due to the emergence of persistent XSS, malicious code that's stored in a database and made accessible via rich Internet applications.
   
   
4. Test every public-facing system whether or not it's critical. The essence of XSS is not necessarily tied to the importance or value of the system. It's the fact that you're enabling the bad guys to exploit a flaw in your environment to take advantage of an unsuspecting user or third-party in the same way spammers take advantage of random open SMTP relays to indirectly carry out their misdeeds against others.
   
   
5. Don't focus solely on JavaScript. I'm starting to see more VBScript and Flash-induced XSS. It's pretty rare, but I suspect that'll change as applications become more complex. Make sure you're scanning all ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSoftwareQuality.com

   As an existing member of the TechTarget network please activate your SearchSoftwareQuality.com account 

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Software security testing and techniques Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Software security testing tools Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Rich Internet applications security testing checklist Webgoat Tutorial Retaking command of your hacked software Identifying whether or not your site or software has been hacked Selecting the best tool for stress and load testing

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   parts of your site and/or application with a tool that can uncover all XSS regardless of the language that's facilitating it.
   
   

6. If you've thoroughly scanned your entire site/application and nothing's turning up, you can check for XSS manually by entering the following into form fields or other input areas like directly in your URL: < script > alert ('XSS!')< /script > It's really basic and not guaranteed, but I have found XSS that Web vulnerability scanners have missed by using this technique.

The good news is that XSS often doesn't place sensitive back-office information at risk. It's more of a risk to your users and to unsuspecting third-parties on the client side; but it could ultimately lead to theft of login credentials and session information, which creates an entirely new dilemma for your business. Given the simple solutions, it's still not a risk worth taking.