A new article in Dark Reading covers the basics of Cross Site Scripting (XSS). The article starts by asking a great question:
Cross-site scripting has been around longer than most security professionals have been on the job. Why is it still such an issue when we’ve known about it for so long?
XSS was first found in the year 2000, so we’re in the 20th anniversary of the discovery of this exploit. By the year 2007 XSS became the most common exploit of web applications. Today it’s still one of the most attacked vulnerabilities, and still ranks as one of the OWASP top 10 web application security risks.
If you’re not familiar with XSS, this new article from Dark Reading is a great primer explaining what it is, as well as explaining the three variations of XSS being used today. It also covers some basic coding techniques you can use to limit your exposure to XSS vulnerabilities.
If you’re not familiar with how XSS works, it’s one of the few attacks that uses multiple servers or both the server and client to enact the attack, making it at times harder to detect when only one piece of the puzzle (one server or just the client or just the server) has any type of security or protection.
As mentioned earlier, the article does cover good coding practices to reduce your risk of XSS when writing and creating your web application. While that’s a great start to application security, and preventing XSS attacks, there’s never any guarantee that you’ll catch all XSS vulnerabilities in your code. You still need protection for those undiscovered XSS vulnerabilities.
A great start for XSS security is using runtime application security. The latest draft version of the NIST Framework for SP 800-53 now includes RASP (Runtime Application Self Protection), as a requirement for an organization’s security framework. By having security that’s close to the application, you get greater visibility and understanding of when an attack is happening, and better tools to control the attack. Traditional security tools like Web Application Firewalls (WAFs), sit on the network perimeter, and can miss nuanced and sophisticated attacks.
K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS.
In addition to providing runtime application security, K2 can also help with faster vulnerability remediation in your web application code during your penetration testing cycle. The K2 agent is deployed on the pen testing/QA server and no change in testing methodology or setup is required. K2 works in conjunction with your existing scanning tools or pen testing tools. K2 creates a vulnerability report at the end of the testing cycle detailing additional telemetry on the vulnerability including which file and line number in the code has the vulnerability. K2 can also find additional vulnerabilities in the application that the testing tools may have missed.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you develop and protect your applications.
Find out more about K2 today by requesting a demo, or get your free trial.