Why Are XSS Attacks Still A Security Risk When They Are So Easy To Fix?

Many developers tend to have a bit of arrogance about them.

They grew up thinking that they were one of the best when it came to computers and that they know everything that there is to know about the machines.

They have taken them apart and put them back together. Many times.

They did all of this while also studying computer science so they think that they have all the basics when it comes to the computer.

They translate this knowledge of the computer into a false sense of security that they know all of the ways that a computer can be exploited as well.

Since they know the machine so well, this means that they know all of the ways that it can be broken.

This is far from the case.

It takes a special kind of person to be able to find all of the loopholes in a system.

No matter how well you know the system, if you are not that type of person, then you will still leave holes in your code.

This is why there are still new web pages being built that allows an XSS attack to filter through.

xss security risk

What is an XSS attack

An attack is another way to say cross site scripting attack.

The shortened version of cross site scripting attack is CSS and we all know that term is being used in another part of computer terminology so, to make it less confusing, they labeled it XSS.

A cross site scripting attack allows you to place script on a web page that was not there already.

Once the script is planted on the page, it is able to bypass certain browser security measures.

In the past, people were allowed to create JavaScript that would allow attackers access to the desktop of someone even though they were not on the same page.

This would lead to a lot of exploits being developed on the client side part of the browser.

To stop this from happening browsers came up with a new rule called “same origin policy”.

This meant that a script could not execute unless it was coming from the web page that the visitor was on at the time.

With an XSS attack, the bad guy is able to bypass this restriction.

Problem fixed

This was been a problem for a while but for the most part it has been fixed.

With certain filters put into the forms of a page, developers are able to stop the attacks from happening.

So this leads to the question, why does it still happen?

The fact is there are a lot of developers who still do not know what an XSS attack is and how it can be stopped.

Not everyone that is a developer is a computer whiz.

There is a good portion of the developer audience that know how to do the basics and not much more.

This is why we still see new web pages that are still vulnerable to this type of attack.

The solution to the XSS problem

If you are going to have a person develop a new webpage for you make sure that they understand basic security principles as well.

If not, then your site can pay the cost later on down the line.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] of your normal users and allows them access to the same information that the normal user would get. The XSS attack has been harder to do these days because the browser makers are taking a lot of time to make sure that it is hard to execute. And […]

  2. […] takes a lot of input from the end users then you may need alerts when someone is trying to do a XSS attack. Or if you are running a server that allows people to upload files, then you might need an alert […]

  3. […] to put it in simple terms that everyone can understand. First of all, even though it is known as a XSS attack, it really should be labeled a CSS attack. These letters stand for Cross Site Scripting attack. […]

  4. […] main threat that you have to worry about on your web site these days is someone pulling an XSS attack on your […]

Speak Your Mind

*