Locking the Door behind You: Hacker Protection for Your Web Applications

Cross site scripting (also known as XSS or CSS) occurs when dynamically generated Web pages display input that is not properly validated, an important aspect of hacker protection. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. Cross site scripting could potentially impact any site that allows users to enter data. This vulnerability is commonly seen on the following:

• Search engines that repeat back the search keyword that was entered.
• Error messages that repeat back the string that contained the error.
• Forms that are filled out where the values are later presented to the user.
• Web message boards that allow users to post their own messages.

Putting hacker protection in place to prevent cross site scripting is relatively easy and well worth the effort. An attacker who uses cross site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end user systems.

Step 1. Open the Web site in a browser

Step 2. Browse the Web site for areas that accept user input and will return back what you typed in. The most common locations for these areas on Web sites are search engines and login forms.

Step 3. Once you have located a search engine or login form, enter "test" into the search field or login name, and submit the request to the Web server.

Step 4. Look for the Web server to respond back with a page similar to

1. "Your search for 'test' did not find any items"
2. "Your search for ‘test’ returned the following results"
3. "User 'test' is not valid"
4. "Invalid login 'test'"

If the word 'test' appears in the results page, then an entryway for cross site scripting has been found.

Step 5. To test for hacker protection against cross site scripting attacks, input the string "<script>alert('hello')</script>" without quotes as done with "test" in step 3. Submit the request to the server.

Step 6. If the server responds back with a pop-up box that says "hello", then the Web site is vulnerable to cross site scripting.

Step 7. If Step 6 fails, and the Web site does not return a popup box, click the 'View' menu in IE, and select the 'Source' option. This will cause Notepad to open with the HTML source of the page. In Notepad, click the 'Edit' menu and choose 'Find'. A dialog will appear that will ask you to 'Find What'. Type the phrase "<script>alert('hello')</script>"and click 'Find Next'. If the text is found, then the Web server is vulnerable to cross site scripting and requires implementation of hacker protection to prevent these attacks.

Once you enter the arena of e-business, your short-term business prospects and long-term viability and shareholder value all become directly linked to your e-business strategies and ability to manage the risks of doing business online, which include hacker protection to prevent attacks like SQL injection and XSS. You must simultaneously protect information while opening your doors to outside partners, customers and employees. The performance and security of your systems, as well as those of your third-party partners, are critically important to long-term success.

Companies must view their Web applications as a portal to corporate assets and hence, implement the necessary hacker protection and security procedures to ensure that those assets are secure from malicious attacks like SQL injection and XSS. This includes defining security and hacker protection as part of both the functional and technical requirements of an application. To achieve a greater level of application security, mature development practices that focus specifically on Web application security and hacker protection at the application layer need to be implemented. Companies who are vigilant and proactive in their approach to application security are better protected, and, in the long run, these companies enjoy a higher return on investment for their e-business ventures.