Websites these days strive to get your attention in the hopes that you will stick around long enough to buy a product or two from them. But, not all websites take security as seriously as they should. I have seen websites for financial services organizations that only permitted a 4 character password, ones that would expose customer data with a simple trick. These are just some examples that I’ve been through in which I will highlight the errors that can happen when deploying a site. I will provide examples of poor implementations, code errors discuss how security can be better deployed.
38. XSS
● Cross Site Scripting
● Problem exists where proper
validation is missing.
● Attackers can execute scripts,
deface websites or redirect users.
39. Types of XSS ● Reflected XSS
● Stored XSS
● DOM XSS
42. Fixing XSS
● Using frameworks like Ruby on Rails
or React JS which automatically
escape XSS
● Applying context-sensitive encoding
when modifying the browser
document on the client side acts
against DOM XSS.
● Enabling a Content Security Policy
(CSP) is a defense-in-depth
mitigating control against XSS.