Kaspersky website vulnerable to XSS

By on
Kaspersky website vulnerable to XSS

Reddit post outs flaw.

In brief: A Reddit post has published a cross-site scripting (XSS) flaw found on the website of security company Kaspersky.

The XSS flaws allow client-side script to be injected into web pages and can be used to bypass access controls. They were the most common form of web application vulnerabilities and most were simple to detect.'

 

The Reddit user had injected an image and a series of popups into the page.

XSS was rated as the second most pressing web application vulnerability in the Open Web Application Security Project Top Ten.

To mitigate XSS, the project recommended to keep untrusted data separate from active browser content.

  1. The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them. See the OWASP XSS Prevention Cheat Sheet for more information about data escaping techniques.
  2. Positive or 'whitelist' input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications must accept special characters. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.
  3. Consider employing Mozilla’s Content Security Policy.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?