Small Business Defense – Cross Site Scripting

Let’s start with some basic assumptions:

1. You must have a website to do business in today’s world.
2. Your customers have to be able to post content, either on your website or on a shared thirdparty site that you have to use to communicate with them (twitter, Facebook or LinkedIn.
3. That communication method will be attacked.

So, you have two scenarios.  Your own website or a third party website.

If it’s your own website, you have a bit more control.  There are techniques that you can use to limit cross site scripting.  The common advice is to use a whitelist of “good” characters, and filter out everything else.  That’s not hard to do, actually.  However, the problem has to be solved at every possible entrypoint, which if you don’t design it into the system can be very difficult.

However, if it’s on a third party website, your options are a trifle more limited.  You don’t know what they allow or disallow.  You don’t know what other users are going to post, or even who they may be.  What you do know, though, is that there will be attacks.  Do you trust them?

Odds are that the answer is “no”.

The good news is that there is a simple test that works on both your own website and the third party systems.  Just log in and find what of your data you can see.  If an attacker gets in, they will run attacks as you.  If your local workstation is protected, you can probably assume that the attack will be limited to the context of the website itself.  Thus, you can limit what an attacker can get to by simply controling the data that you allow online.

So here are two good rules of thumb:

1. If you don’t need to put pieces of data online, don’t.
2. If the site requires information that you don’t want to give, either don’t use the site or make something up.