Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

XSS Attacks On Business Owners Data Are A Genuine Threat

Written by  Nov 15, 2019

Data protection due to GDPR has been enhanced and as well as other privacy regulations, businesses have strengthened their platforms toward better protecting and securing user data.

But is this enough for a business owner, entrepreneur or manager?

Recent vulnerability reports prove that even major ecommerce and social platforms can easily become an attack vector for cross-site-scripting (or XSS) attacks, and these happen even if the platforms themselves are secure. With vulnerabilities in third-party application providers being used by major customer-facing platforms, there is an increased risk that user data will be exposed to malicious players. This is the risk organisations have to deal with.

gdpr and prvacy

Data privacy regimes

Maybe the biggest tech news in 2018 was the enforcement of the European General Data Protection Regulation, which sought to protect European Union citizens' personal data from being collected and utilised without consent. With the GDPR, any business that handles data on E.U. citizens, or which counts E.U. citizens as among their clients, will need to explicitly inform said users of data gathering efforts, and seek explicit content for doing so.

GDPR has had its impact even outside of Europe since any business that provides services to E.U. citizens or residents will need to comply. In addition, there have been numerous privacy-focused regulations that are also in effect worldwide, given the recent consumer and business focus on data privacy, which are all good things that are working to protect us.

Even with an increased focus toward enhancing privacy, however, there are still many risks involved when it comes to businesses losing user data to malicious hackers. For one, given the collaborative nature of services (e.g., an ecommerce store utilising a payment processor or a logistics provider), the weakest link here would be the service that can introduce a potential breach. In this regard, the moment a third-party application puts the user at risk, the entire operation could already be compromised. Some organisations have failed to protect their data properly and the EU have given out millions of Euros in fines last year.

cross site scripting xss

What is XSS?

XSS is an abbreviation for cross-site scripting, these types of attacks are a form of data-injection, wherein malicious client-side code is injected by an attacker into an otherwise legitimate website. This works by injecting code -- mostly JavaScript -- into a website or web app’s output, often working through forms such as search fields, feedback forms, forum text entry fields and even cookies stored on a user’s browser.

When an unsuspecting user accesses an affected website, the injected code has the potential to deliver a payload, which can include executing code, stealing data, controlling a user’s session or installing backdoors to a computer system or network.

Such attacks are borne by the need for today’s websites to be interactive. With the numerous interactions between browser and server over a single session, XSS can even be used to pull content from a third-party website, use existing cookie data (which can include usernames and passwords), or interact directly with an app’s client-side processes.

 privacy for seniorsAlso see: Top Tips to Increase Your Online Privacy

What can businesses and users do?

For businesses, especially those that run consumer-facing platforms, or even those that utilise websites for employee access. This involves building applications with a tight security development lifecycle. This means constantly building and updating in order to reduce or eliminate security-related errors in design and coding. This also means assuming that all data that is being received by the application can potentially come from an untrusted source, even if it comes from users who are already logged in and authenticated.

As such, some changes that can be adopted for business owners and managers can include:

  • Not trusting user input blindly. This means constantly validating the input for type, length, format and data range whenever such data goes across trust boundaries.
  • Reducing client-side input, to preclude the possibility of unwanted code or character sets being passed through.
  • Setting a webpage’s character set to the bare minimum (ISO-8859-1), which is sufficient for English and most European languages.
  • Asking users to re-authenticate before accessing critical services.
  • Immediately expiring login sessions if access from multiple IP addresses is detected.
  • Utilising vulnerability scanners to keep track of such risks in real-time.
  • And conducting penetration testing before an application or website goes live.

Conclusion

As XSS attacks are a real threat, it makes sense to focus on preventing security risk, especially in the light of calls for better data privacy and protection. This is important today, given the fact that most sites will not work without client-side scripting.

If this all seems a bit mind-boggling to you, make sure to contact your webmaster and have them walk you through these important points regarding data protection. Knowing that major social networks and services have actually been at open risk to a big XSS attack, both businesses and users need to be proactive about their security.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Advertisement

Popular News

May 06, 2020 IT Security News

Popular VPNs Exposed Users to Attacks

Researchers analysed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that...

May 22, 2020 Cyber Security

EasyJet will be sued over customer data breach

Legal firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Da...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

May 11, 2020 Cloud Security News

Tips to help secure your cloud data in the UK

In this digital age, it’s not a great idea to trust someone with your sensitive data. ...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

Apr 10, 2020 IT Security News

The importance of security for UK office printers

When it comes to digital security, we tend not to think about printers as they are often seen as dumb devices with a few...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

May 07, 2020 Cyber Security

Three quarters of UK homeworkers haven't received cybersecurity training

As Covid-19-related cybersecurity threats continue to multiply, three in four of home workers are yet to receive any cyb...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 14, 2020 IT Security News

Windows 10 is getting DNS over HTTPS (DoH) support

DNS is one of the last protocols that still runs unencrypted on the Internet. ...

Apr 11, 2020 IT Security News

Tips for testing an IT security experts worth in the UK

There is no shortage of people presenting themselves as security experts. Some of them truly are, the others may or may ...

May 28, 2020 IT Security News

Defence tips to stop a trojan invasion

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to preventing...

Apr 22, 2020 IT Security News

Kaspersky shares 10 security and privacy tips when using Zoom

The recommendations from Kaspersky come following recent concerns regarding Zoom's security and privacy. ...

Advertisement
Symantec Home 120x60

Advertisement