Cross-site scripting (XSS) errors are responsible for more than half of all web application vulnerabilities1. So, in this age of accountability and expectations for secure, high quality software, what’s being done about it?
Veracode announced their Free XSS Detection Service which empowers global developers and security professionals to quickly and easily identify dangerous and costly XSS vulnerabilities, while offering remediation recommendations to produce higher security web applications.
OWASP includes XSS on its list of the Top 10 most dangerous software risks, and despite the high prevalence, Veracode is certain that XSS vulnerabilities can be easily eliminated once detected.
Veracode Free XSS Detection Service removes perceived complexity from the detection process, and with access to proper education and training, developers can avoid introducing the flaws into software in the first place.
According to OWASP, XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Here’s how the Veracode Free XSS Detection Service works:
- Sign up for a Free XSS Detection Service account
- Users submit one Java application, free of charge
- The Veracode platform will search for XSS errors and produce a detailed report with location and remediation information
- Participants will also receive complimentary access to Veracode’s dedicated XSS eLearning courses.
“At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are those we describe as ‘trivial’ and can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor,” said Chris Eng, senior director of security research, Veracode.
“Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.”