OWASP Top Ten Web Application Vulnerabilities: #2: Cross-Site Scripting

Cross-site scripting, also referred to as XSS, is the most common web application security vulnerability. XSS vulnerabilities can result from anyone that is able to send untrusted data into your stem – this includes external and internal users and administrators. XSS vulnerabilities may exist in your code when your application doesn’t properly validate data sent by a user to a browser. Improper invalidation of user content allows attackers to send a text-based attack script to exploit the browser’s interpreter. Browser side e interpreters include JavaScript, ActiveX, Flash and Silverlight, among others.

An attacker can steal or hijack a user’s session by executing scripts in the victim’s web browser. Attackers cause the victim’s session ID to be sent to the attacker’s web site, thus letting them hijack the victims’ session. Hackers can also insert negative content, deface your web site or redirect users to malicious sites.

One of the best things you can do to avoid falling prey to XSS is to ensure that you validate all user input sent to the browser. If you encode output properly, user input is treated as text instead of active content that can be executed. You should use data escaping techniques to escape all untrusted data based on their HTML context. If the applications user interface framework doesn’t do this for you, the developers must include the escaping logic in their code. Your application may need to accept special characters, so a positive or white list form of input validation is not always effective. Your application must be able to decode encoded input and validate the data before accepting it

You can detect XSS flaws through performing a vulnerability test through an automated tool or by analyzing your code. Note that it’s not easy to detect XSS flaws in Web 2.0 technologies.

One thought on “OWASP Top Ten Web Application Vulnerabilities: #2: Cross-Site Scripting

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.

Performance Guarantee

Miro’s no risk Performance Guarantee is that the amount of cost savings that we uncover will be more than our fees.


Managed Services for Oracle Licensing

Miro’s Managed Services for Oracle licensing is a best practice approach for an organization to optimize and outsource the practice of Software Asset Management to specialized external experts to ensure the organization’s compliance with vendor rules and policies.

Learn More