Sunday, September 30, 2018

Steps to prevent leverage of cross-site scripting attacks

Cross-site scripting attacks

How-To: Prevent the XSS attack-vector leverage

 Additional steps from Development to Deployment

 **Developers** 

     - Should determine what is a safe user input and reject all others - be it a text, javascript or any unauthorized piece of code
    - Depending on the Input text box, developers can restrict text to certain characters (avoid ones causing troubles) and also limit the maximum number of characters
    - should write a code which checks that improperly formatted data are never inserted directly into the HTML content, that might compromise the whole web application
    - should implement prepared statements (known to be reliable) for any database queries as well as the input validation described above

**Website operators **

    - should carefully choose third-party web app providers to ensure their products have the right security measures in place
    - should test the web apps to ensure that they are not vulnerable to attacks involving cross-site scripting or SQL injections
    - should continuously scan their sites in real-time to detect any unauthorized code. This should involve not only automated website vulnerability scanners (i.e.: Nikto, OVASP)
    - you have to be proactive == > hire an experienced professionals ( White or Grey ) who can assess web app security against attacks like these with a custom approach
 ========================================================================
     The last step is important !
Anything less than a pro-active, comprehensive approach to securing the sites will grow to infringement of a great number of consumer's data privacy due to regulations like GDPR.
     As a good example of a DO's & DON'Ts we might mention the recent attack on "The British Airways". But you can practically choose any of the large attacks during the past 5 years.
 ========================================================================
         
                   ::Remember::

 Just because a website is secure that necessarily doesn't mean that a web application is secure as well
     
 source: TechRepublic 
( https://www.techrepublic.com/article/british-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions )

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King