Posted by caroljmcdonald
on September 29, 2009 at 9:09 PM PDT
This and the next series of blog entries will highlight the
10 most critical web application security vulnerabilities
identified by the Open
Web Application Security Project (OWASP) .
You can use OWASP's
to learn more about the OWASP Top Ten security vulnerabilties. WebGoat
is an example web application, which has lessons showing "what not to
do code", how to exploit the code, and corrected code for each
You can use the
Enterprise Security API Toolkit to protect against the OWASP Top
Ten security vulnerabilties.
Swingset is a web application which demonstrates the many uses of
the Enterprise Security API.
OWASP Top 10 number 1: XSS = Cross Site Scripting
Cross Site Scripting (XSS) is one of the most common security problems
in today's web applications. According to the
href="http://www.sans.org/top-cyber-security-risks/">SANS Top Cyber
Security Risks, 60% of the total attack attempts observed on the
Internet are against Web applications and SQL injection and Cross-Site
Scripting account for more than 80% of the vulnerabilities being
discovered. You are at risk of an XSS attack any time you put content
that could contain scripts from someone un-trusted into your web pages.
There are 3 types of cross site scripting:
- Reflected XSS: is
when an html page reflects user input data, e.g. from HTTP query
parameters or a HTML form, back to the browser, without properly
sanitizing the response. Below is an example of this in a servlet: