Cross-Site Scripting, a Top 10 threat
XSS is one of the most common attacks a website will face, we can help
What is XSS?
Cross-Site Scripting, or XSS, has consistently been ranked as one of the Top 10 threats a web application will face by OWASP, the Open Web Application Security Project. In short, XSS happens when an attacker can inject something into your website that you don't want to be there.
Imagine a comment or review section on your site where customers or visitors can leave their own remark. They're supposed to type a nice message into the field which will then be saved and shown on your website to other visitors. What if they type something else in there? What if they type malicious code in the field?
Whilst a basic example, this is the very essence of an XSS attack; someone managed to get hostile code into your website.
If done properly these methods would protect a site from XSS attacks like our example, but having just a single line of defence is never a great idea, we need defense-in-depth. There are also many other ways that this hostile script could find its way into your site, input sanitisation and output encoding simply aren't enough.
The XSS Auditor
Many browsers have an XSS Auditor built in that will try and detect a subset of XSS attacks and neutralise them.
Not only can the XSS Auditor neutralise those attacks, it can send a report and include the malicious payload the attacker tried to use.
To configure the XSS Auditor and enable reporting, check out our product page: XSS Auditor
Content Security Policy
The last and ultimate line of defence against XSS is Content Security Policy. With CSP we change the approach slightly by whitelisting all allowed content on our site. If content is whitelisted then it is allowed to run, if it's not then the browser will block it.
With this approach if hostile content is somehow injected into your site and gets by other countermeasures, the browser will be your last line of defense and neutralise the attack. The final piece of the puzzle is of course reporting.
With CSP reports sent back by the browser you can know that an attack was neutralised and then address the root cause using the information in the report itself.
We can tailor a package to your exact requirements with custom usage, billing and SLA. You need an enterprise account if you're looking for any of the following features, just get in touch!
- Managed/Dedicated Instance
- Geographic Hosting/Processing
- Custom or Unlimited Usage
Award Winning Service
SC Awards Europe Judges
Best Emerging Technology 2018
"This is a completely new source of information that sites can use to better protect themselves and their visitors"