Norton Symantec notes that 84 percent of all security vulnerabilities can be traced to cross-site scripting (XSS). In fact, your personal computer or business has likely encountered an XSS attack in the past, whether or not you experienced any noticeable side effects — and that alone makes this a critical issue to understand. A closer look at XSS can help you better understand this most common security issue on the Web, why it matters, and what you can do to protect your organization against it.
What Can Hackers Do with Simple Script Manipulation?
Any website that requests data from a visitor can be manipulated by inputting malicious code instead of basic information.
Whether it's a search box, email addresses for an online petition, or an order form for a product purchase, if hackers write code instead of signing their names or searching for an article, they can find a way into a website's backend — which allows them to use a trusted, legitimate website to reroute information such as email addresses and credit-card numbers.
Most Internet browsers trust popular websites' scripts unconditionally, which means that even if an unfamiliar script appears at a trusted site's address, it will be displayed. When you browse the Internet, you trust the websites you visit are vigilant in monitoring their sites for vulnerability and infiltration. If hackers sneak an XSS attack into a legitimate website, they are using that trustworthy address to filter your information to their illegitimate sites, gathering everything from passwords to email addresses to sensitive financial information. They also can use your trusted Web address to deliver malware to a visitor's computer, which can later be traced to you — or even cause your site to be flagged as "unsafe" by major antivirus products. And every time you notice an XSS attack, some other hacker has probably started devising ten more.
For a business with a website and Web-based applications, that's one heck of a headache.
Catching Attackers at the Source: What You Need to Know
First and foremost: To catch an attack, you have to know about the types of script(s) that are en vogue — otherwise you run the risk of deleting legitimate information with manual or automated security methods.
Imagine working security at a museum filled with priceless artwork, in which every visitor is handed a giant Sharpie to contribute to a collaborative piece at the end. How can you sort the visitors with malicious intent from those who are enjoying the museum and hoping to contribute to the artwork? What are the ramifications of erroneously removing visitors? (On the other hand, how bad is it if the Mona Lisa ends up mustachioed?) The results of an XSS attack can be as mild as a child drawing a smiley face on the floor or as dramatic as a botched restoration on a priceless fresco.
Whether hackers are finding out which products are searched on a consumer-review website or are stealing credit-card numbers, the violation of trust and security associated with such attacks can be disastrous. Consider Yahoo! Mail's reputation, which took a substantial hit after falling victim to multiple XSS attacks in 2013 and 2014, costing the Web-based email provider hundreds of thousands of users.
On the other hand, Twitter was also exploited in 2010 when users discovered a vulnerability that allowed them to modify the site's JavaScript through coded tweets. The hacks were all friendly in nature, though some malicious wormware was added before Twitter security fixed the problem. And though that problem never reached the scale it could have, it is a sobering look at the potential damage that can be done with one well-executed cross-site script attack.
According to the Ponemon Institute, the average time to recover data breached by XSS attacks is 24 days and the average cost to businesses can reach millions of dollars. So how can you prevent such an unpredictable and elusive attack from affecting your business without losing valuable data from real visitors?
A combination of well-written and thoroughly tested code (XSS attacks affect all versions of JavaScript) and a constantly updating security service that vets all inputs to your website is the best defense. Because of the dynamic, ever-evolving nature of XSS attacks, it's best to have a Web-based service that specializes in applications. It's also critical that your security service be able to walk the fine line between being dangerously permissive and overzealous. Even one accidental deletion can prove costly if a customer or lead gets mistaken for a potential threat. Then again, one well-disguised hack can undo an entire site's security network.
And that's sure to make the Mona Lisa frown.
Photo Source: Flickr