Prevent Cross Site Scripting (XSS) Attacks

Cross-site scripting has been at the top of both the OWASP Top Ten list and the CWE/SANS Top 25 repeatedly. Some reports show cross-site scripting, or XSS, vulnerabilities to be present in 7 out of 10 web sites while others report that up to 90 percent of all web sites are vulnerable to this type of attack. Why are so many sites at risk? Because cross-site scripting attacks are so easy to perform.


Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at

Featured Blog Posts

The Price of Ignoring SQL Injection Vulnerabilities

Research has shown that businesses just don’t take web application security seriously enough. For ... read more ...

The Most Vulnerable Programming Languages

Normally, studies of Web application security involves which type of vulnerability is most common or ... read more ...

Senior bureaucrats lax on BlackBerry security

Security experts suggest senior federal bureaucrats are playing with fire by sending sensitive government information ... read more ...

Basically, an attacker inputs a malicious script into a web site. This can be in a forum, comment section, or any other input area. When victims visit that web site, they only need to click on that script to start the exploit.

A few facts about cross-site scripting attacks that you should be aware of are:

Risks Associated with Cross-Site Scripting

Attackers are lured to XSS exploits because how easy they are to perform, but they also know to follow the money. Attacking a web site through a cross-site scripting vulnerability can be quite profitable for the attacker who knows how to harness this type of exploit.

Without proactive Web application security in place to stop XSS attacks, you leave your site vulnerable to:

Web sites that have been exploited using XSS attacks have also been used to:

Preventing Cross-Site Scripting Attacks

With dotDefender web application firewall you can avoid XSS attacks because dotDefender inspects your HTTP traffic and determines if your web site suffers from cross-site scripting vulnerabilities or other attacks to stop web applications from being exploited.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

How does an attacker exploit a cross-site scripting vulnerability?

Before a web site can be compromised, an attacker needs to find applications that are vulnerable to XSS vulnerabilities. Unfortunately, most web applications, both Free/Open Source Software and commercial software, are susceptible. Attackers simply perform a Google search for terms that are often found in the software. Using search bots to automate this process means an attacker can find thousands of vulnerable web sites in minutes.

Once a vulnerable web site is discovered, the attacker then examines the HTML to find where the exploit code can be injected.

Coding the exploit

After this has been determined, the attacker then begins to code the exploit. There are three types of attacks that can be used:

  1. Stored (persistent) attacks: Injected malicious code is stored on a target server such as a bulletin board, a visitor log, or a comment field. When interacting with the target server, an end-user inadvertently retrieves and executes the malicious code from the server.
  2. Reflected attacks: The end-user is tricked into clicking a malicious link or submitting a manipulated form. The injected code is sent to a vulnerable web server that directs the cross-site attack back to the user’s browser. The browser then executes the malicious code, assuming it comes from a trusted server.
  3. DOM-based attacks: The attack script is based on the same page's DOM (document object model), enabling it to manipulate and interrogate it. In this type of exploit, remote execution is enabled allowing the attacker to execute malicious code on the victim's computer.

After the code has been written, it is then injected into the target site.

Reap the rewards

Now that the script has been injected into the vulnerable site, the attacker can now begin to reap the rewards. If the intent of the XSS attack was to steal user authentication credentials, usernames and passwords are now collected. For attacks that center around keystroke logging, the attacker will begin to receive the logged results from the victims. If the intent was to inject spam links into a well trusted site, then the attacker will begin to see increased activity on their sites due to higher traffic and higher search engine results.

If the attack was successful, the attacker will often replicate it on other sites to increase the potential reward.

The Need to Avoid Cross-Site Scripting Attacks

Cross-site scripting not only costs businesses in stolen data, but also by harming their reputation. Owners who work hard to build themselves as trusted site to deliver content, services, or products often find themselves hurt when loyal visitors lose trust in them after an attack. Visitors whose data is stolen or find their computers infected as the result of an innocent visit to your web site are hesitant to return even if assurances are made that the site is now clean.

Even if a vulnerable site is fixed, sites that contained malicious code from an XSS exploit are usually flagged by Google and other search engines as a result. Resources spent in time and effort to restore a solid reputation with the search engines is an added cost that most web site owners never figure on.

The threat posed by cross-site scripting attacks is not solitary. Combined with other vulnerabilities like SQL injections, path traversal, denial of service attacks, and buffer overflows the need for web site owners and administrators to be vigilant is not only important but overwhelming.

Protect Yourself from Cross-Site Scripting Attacks

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

What sets dotDefender apart is that it offers comprehensive protection against cross-site scripting and other attacks while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.

Related Articles:

Prevent SQL Injection Attacks
Website Security
IIS Server Security

Please Wait...