Cross Site Scripting - XSS - A potential threat for you
Websites are changing face allover and more and more dynamic contents are coming up. Not only that, with the advent of e-commerce, as web space has grown into a lucrative business space, more websites are offering services or goods. These offers have enough to lure all the hackers and crackers and they are really exploring all the options to break your security lock and steal all you offer. XSS or cross site scripting is one such weapon which are mostly used by the hackers.
What basically is Cross Site Scripting or XSS? Your website may have many input options which you use to collect information from user. So if anybody can use the input option and injects a javascript then the javascript will reside at your end, but will run maliciously to collect user data. Say if you run a forum and user has option to post javascript and HTML and if a user posts malicious script there, then the script can run and can steal session data of another user. Not only that script can be embedded in form of simple user input. Like one can embed script in the address input part of your user registration section.
What are the threats? The XSS attack can cause small to severe damage to our website. It can hijack login information of another user, can change user or administration settings, cookie poisoning also placing unwanted advertisement.
Cookie Theft: Cookie is usually stored in encrypted format in client’s machine. When a session starts, the server stores user information at his end in form of cookie. If anybody can steal the cooki, he can get hold of the user logged in session. So you or your script shall be very careful regarding Cookie theft as otherwise this can cause several damage to your business and reputation.
How can you protect yourself: In your website whatever sections take user input, you need to be carefully code those sections. You shall filter metacharacters, convert all user inputs into htmlentities (like > becomes > All the symbols should be translated into respective html codes. Your script should filter any objectionable tag in user input.
It is no doubt if there is any XSS holes in your website and if your website is pretty popular then one fine morning, you will realize what damages you incurred. But if you are careful from the beginning and can create a shield against the attack then you can live peacefully.
