One of the most popular high-risk vulnerabilities plaguing websites today is cross-site scripting, or XSS. This kind of attack is popular because it is easy to perpetrate and, although it is easy to prevent, many websites were not designed with the necessary controls to do so. In this brief post, we describe how XSS works and how to prevent it.
Suppose we have a page with a simple web login form that features a text field for the user to enter her username and a password field for her to enter her password. Most users will come to this page and type their real user name and password. When they do and click the submit button, their entries are whisked away to a program running on the web server that checks whether the credentials they entered are legitimate. That server application responds by sending them either a page that gives them access to the site or a page that shows them an error message and gives them a chance to enter their information again. If the user did enter the wrong username or password, it is not uncommon for the ensuing page to show her the username she typed as a sort of sanity check. For example, the error page might say “Sorry. You entered the wrong username or password for user X.” Usually, “X” is innocuous: it is simply the mistyped username the visitor had entered.
Regardless, it is important that users not take such measures for granted. Never click on a link until you’ve hovered over it to see where it leads. If it looks like there’s some funky gibberish embedded in the link’s address, or if the link leads somewhere unfamiliar, don’t click!