Locking the Door behind You: Hacker Protection for Your Web Applications

Page 3 of 3
  1. Introduction
  2. SQL Injection
  3. Cross Site Scripting

Cross Site Scripting

Cross site scripting (also known as XSS or CSS) occurs when dynamically generated Web pages display input that is not properly validated, an important aspect of hacker protection. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. Cross site scripting could potentially impact any site that allows users to enter data. This vulnerability is commonly seen on the following:
  • Search engines that repeat back the search keyword that was entered.
  • Error messages that repeat back the string that contained the error.
  • Forms that are filled out where the values are later presented to the user.
  • Web message boards that allow users to post their own messages.
Putting hacker protection in place to prevent cross site scripting is relatively easy and well worth the effort. An attacker who uses cross site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end user systems.

Step 1. Open the Web site in a browser

Step 2. Browse the Web site for areas that accept user input and will return back what you typed in. The most common locations for these areas on Web sites are search engines and login forms.

Step 3. Once you have located a search engine or login form, enter "test" into the search field or login name, and submit the request to the Web server.

Step 4. Look for the Web server to respond back with a page similar to

  1. "Your search for 'test' did not find any items"
  2. "Your search for ‘test’ returned the following results"
  3. "User 'test' is not valid"
  4. "Invalid login 'test'"
If the word 'test' appears in the results page, then an entryway for cross site scripting has been found.

Step 5. To test for hacker protection against cross site scripting attacks, input the string "<script>alert('hello')</script>" without quotes as done with "test" in step 3. Submit the request to the server.

Step 6. If the server responds back with a pop-up box that says "hello", then the Web site is vulnerable to cross site scripting.

Step 7. If Step 6 fails, and the Web site does not return a popup box, click the 'View' menu in IE, and select the 'Source' option. This will cause Notepad to open with the HTML source of the page. In Notepad, click the 'Edit' menu and choose 'Find'. A dialog will appear that will ask you to 'Find What'. Type the phrase "<script>alert('hello')</script>"and click 'Find Next'. If the text is found, then the Web server is vulnerable to cross site scripting and requires implementation of hacker protection to prevent these attacks.

Once you enter the arena of e-business, your short-term business prospects and long-term viability and shareholder value all become directly linked to your e-business strategies and ability to manage the risks of doing business online, which include hacker protection to prevent attacks like SQL injection and XSS. You must simultaneously protect information while opening your doors to outside partners, customers and employees. The performance and security of your systems, as well as those of your third-party partners, are critically important to long-term success.

Companies must view their Web applications as a portal to corporate assets and hence, implement the necessary hacker protection and security procedures to ensure that those assets are secure from malicious attacks like SQL injection and XSS. This includes defining security and hacker protection as part of both the functional and technical requirements of an application. To achieve a greater level of application security, mature development practices that focus specifically on Web application security and hacker protection at the application layer need to be implemented. Companies who are vigilant and proactive in their approach to application security are better protected, and, in the long run, these companies enjoy a higher return on investment for their e-business ventures.

You might also like...


About the author

Caleb Sima United States

Caleb Sima is founder and chief technology officer of SPI Dynamics, the expert in Web application security testing and enterprise security risk management. He is widely known within the Internet...

Interested in writing for us? Find out more.


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time.” - Tom Cargill