Nowadays, most of the browsers comes with a developer tool bar, often to help the developer fixing the HTML and other visible areas of web page. But this developer tool bar can also be a potential threat to the security of your system, if it is not been taken care of. The question is how? And the answer is pretty simple.

All developer tool bars have an option that let user to edit HTML on the fly and developer can see the effect immediately. Hackers and Crackers just love this option to break your website. If you are running an e-commerce website, this threat can even sell your products at zero price. If your website has a form integrated and that form takes a visitor to the payment gateway page, then before sending the value to the payment gateway, one can easily edit the form. They can put the value zero in place of price and can download any software or service which you sell online, at no price.

One can get the developer toolbar from the following places

• Firefox Developer ToolBar
• Firefox XML developer toolbar
• IE Developer Toolbar
• Opera Developer Toolbar

What does a developer toolbar do?

1.  It can edit the HTML on the fly.
2. It can change the value of form post fields.
3. It can expose the hidden password fields. If you have hit the ‘remember password’ option then the stored password can be made visible.
4. It can give you detailed information of the page.

Though, the toolbar is of immense help to developer, at the same time it is a potential tool for hacker too. So, please check if the website you are running is free from the threat of this tool.

How can you protect yourself from this attack?

1. First make your site in such a way that only registered user can use the payment gateway. This will at least help you to know who is breaking the rule.

2. Track user activity throughout his life cycle at your website.

3. If possible use background process for payment. (Like cURL in PHP).

4. If the gateway supports it, make the entire payment option encrypted.

If you are following this and you are a little careful, then possibly you will be save yourself. Before opening any e-commerce venture, ensure that your entire script is free from SQL injection(old stuff), XSS attack, fuzzing and cookie poisoning and theft. If you are not aware of web security much, then one day you might have to surrender your earning to the hands of hackers and crackers. So pre-act before it is too late.

Cross Site Scripting - XSS - A potential threat for you

Websites are changing face allover and more and more dynamic contents are coming up. Not only that, with the advent of e-commerce, as web space has grown into a lucrative business space, more websites are offering services or goods. These offers have enough to lure all the hackers and crackers and they are really exploring all the options to break your security lock and steal all you offer. XSS or cross site scripting is one such weapon which are mostly used by the hackers.

What basically is Cross Site Scripting or XSS?  Your website may have many input options which you use to collect information from user. So if anybody can use the input option and injects a javascript then the javascript will reside at your end, but will run maliciously to collect user data. Say if you run a forum and user has option to post javascript and HTML and if a user posts malicious script there, then the script can run and can steal session data of another user.  Not only that script can be embedded in form of simple user input. Like one can embed script in the address input part of your user registration section.

What are the threats? The XSS attack can cause small to severe damage to our website. It can hijack login information of another user, can change user or administration settings, cookie poisoning also placing unwanted advertisement.

Cookie Theft: Cookie is usually stored in encrypted format in client’s machine. When a session starts, the server stores user information at his end in form of cookie. If anybody can steal the cooki, he can get hold of the user logged in session. So you or your script shall be very careful regarding Cookie theft as otherwise this can cause several damage to your business and reputation.

How can you protect yourself: In your website whatever sections take user input, you need to be carefully code  those sections. You shall filter metacharacters, convert all user inputs into htmlentities (like > becomes > All the symbols should be translated into respective html codes. Your script should filter any objectionable tag in user input.

It is no doubt if there is any XSS holes in your website and if your website is pretty popular then one fine morning, you will realize what damages you incurred. But if you are careful from the beginning and can create a shield against the attack then you can live peacefully.