Cross-Site Scripting Injection Vulnerability: Secure Coding Practices for Improved Web Application Safety


While security vulnerabilities evolve, secure coding practices aim to protect users and reduce organizational liability. OWASP offers a list of secure coding practices to guide software developers to adopt a security-first mindset that prepares software developers to write secure code that considers application security risks from their first line of code.

The Cross-Site Scripting Injection Vulnerability allows malicious hackers to inject and execute harmful scripts on a user’s browser.  Three real-world examples of harmful data breaches caused by Cross-Site Scripting Injection Vulnerabilities are the British Airways data breach in 2018, the Fortnite data breach in 2019, and the eBay data breach in 2016 (Anderson, 2023). 

Because of the widespread effects of this security vulnerability, in the React framework, the React DOM escapes any values in JSX before rendering them in the React DOM. While React, by nature, protects applications from malicious Cross-Site Scripting Injection attacks that allow malicious attackers to session hijack, steal user information, or redirect users to malicious web pages instead of the intended webpage, there are times when a software developer needs to manipulate the DOM with refs to interact with the external system, such as an API, outside of the rules defined by React. 

Software developers can implement CSP headers to catch attacks in the browser and sanitize any data from the API with a library to identify and remove malicious HTML and URLs. In the eBay data breach, software engineers failed to sanitize their url parameters before navigating users to a new page, hackers exploited the Cross-Site Scripting Injection Vulnerability to redirect users to malicious web pages to steal eBay users’ sensitive payment details and account information. If eBay had properly sanitized the url parameters prior to injecting them into the source code, attackers would have been unable to redirect users to a new page. 

The harmful effects of  Cross-Site Scripting Injection attacks highlight the importance of secure coding practices in web application development. By providing comprehensive employee training that encourages secure coding practices as outlined by organizations like OWASP, organizations form positive relationships with users and stakeholders while raising the safety of modern web applications.

Reference:

Anderson, B. (2023. 3 Dangerous Cross-Site Scripting Attacks of the Last Decade. readwrite. https://readwrite.com/3-dangerous-cross-site-scripting-attacks-of-the-last-decade/

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more