19th Ave New York, NY 95822, USA

Protecting Your Store from Cross-Site Scripting Attacks

<img class="wp-image-155551 size-large" src="https://www.practicalecommerce.com/wp-content/uploads/2018/06/Login-form-570×370.jpg" alt=" Access to login data, such as a user name, password, or token, is a frequent target of cross-site scripting attacks. If a thief can steal them, he can access the account information of a user. "Width =" 570 "height =" 370 "/>

Access login data such as a user name, password, or token If a thief can steal this information, he or she can access the account information of a user.

Security is vital for all e-commerce sites. A breach of payment data or personal information of customers could kill a business.

But an e-commerce site also presents other security risks. A common is the inter-site script. Any site that uses forms, searches or even an administrative backend is vulnerable – essentially every online store.

Any site using forms, a request, or even an administrative backend is vulnerable …

There are many forms of cross-site scripting – XSS. This occurs when an attacker adds code to a Web page, and then the code runs in the browser of a user who does not suspect anything, thus causing damage. Ninety-nine percent of the time, this code is JavaScript.

A Web page is vulnerable to an XSS attack when it does not properly delete the user's entry. For example, if a comment form allows someone to add HTML code, an attacker could post a comment including the attack code.

The most common method is to add a JavaScript source link using the script . This will cause the browser to download and run the JavaScript, which could then steal the user's data.

Targets of XSS

Authentication data, such as a user name, password, or token, is a common target. If an attacker can steal them, he can log in as a user with full access to the user's account.

The attacker could, for example, change the delivery address for a recurring order or use a card in the file to make fraudulent orders. Once the attacker connects, it becomes very difficult to tell the difference between the legitimate user and the attacker.

One way to detect is to track the usual location of a user and compare it to the attacker. If the user logs in from Texas and there are suddenly many connections from another state or country, it is a sign that the account has been hacked.

XSS attacks that steal an administrator's authentication data are even more critical. With administrative access, an attacker could, for example, create hundreds of fraudulent orders, change the way payment receipts are routed or delete all data from your store.

This is the worst case. This is also a reason to have strong security practices for administrator accounts.

XSS attacks that steal the authentication data of an administrator are even more critical.

Your store collects other data, such as address and order information. They may not be as critical as payment data or login data, but they can still cause a major customer service problem in the event of a breach. This is especially the case if the customer is a celebrity. The disclosure of his personal address or the products that he ordered could cause a scandal.

Prevention of XSS attacks

Preventing XSS attacks is not easy. All forms of input by the user can be a security risk. With the increase of user-generated content, the Web is much more interactive. Thus, XSS attacks are common.

A good way to prevent XSS attacks is to clean up all data entered by a user. This is what is called the "disinfection of inputs". It removes or makes harmless any HTML or JavaScript code of a user. Many code libraries and e-commerce platforms do this by default.

The problem is that the disinfection of entries limits what a legitimate user can enter. This could, for example, prevent a user from putting certain words in a blog comment or creating a link to another page.

Allowing only a few seemingly safe tags could be risky. Even non-JavaScript tags like a link or image could trigger a carefully crafted XSS.

Many XSS attacks will attempt to steal a user's authentication cookies. There is a simple built-in protection called "HttpOnly" that prevents JavaScript from accessing cookies. This is an option on the cookie that needs to be set. This will prevent your own JavaScript from using it, but it's a simple way to add another layer of protection.

How vulnerable?

XSS can attack most e-commerce sites. This does not matter if it is an open source, a hosted platform or a purchased software.

Open source systems are usually quick to repair an XSS or other security problem. Many will quickly publish a new version. Minimize your risks by keeping your systems up to date.

Hosted platforms also deal with XSS issues quickly. Often traders do not know that a security hole has been repaired because their sites have been automatically updated. A disadvantage of hosted platforms is that the same software usually powers all stores. Thus, an attacker could discover access to a store and then attack all other sites on the platform.

The security of commercial software varies. The vouchers will immediately issue a new version once a security problem has been resolved. But a merchant could be on the hook for the upgrade.

The XSS vulnerability also applies to plug-ins, applications, and third-party systems. If you use a popular application, it will likely be upgraded and secured quickly in case of XSS attack.

Finally, if your store uses custom code, it all depends on you and your team. There are many common practices that allow developers to audit your code and secure it. Even then, you could still scramble from time to time.

Leave a comment