Tag Archives: security

Introduction of Cross-Site Scripting (XSS) Vulnerability & How to Prevent It?

What is the Cross-site Scripting (XSS) Vulnerability & How to Prevent it

As a web developer, you may know XSS as Cross-site Scripting. It is a way of bypassing the SOP concept. An attacker could easily insert his own HTML code whenever HTML code is generated dynamically, and the user input is not sanitized and is reflected on the page. In this case, the web browser will still display the user’s code since it belongs to the website where it is injected.

The attacker could easily interject JavaScript code which would run under the site’s context. By this way, the attacker can access other pages on the same domain and read data like CSRF-Tokens or the set cookies.

The attacker can use the cookies which typically contain session identifier information, and use it in his own browser and login to the web application as the victim. Another way is by reading private information from the pages, such as read CSRF tokens and makes requests on behalf of the user.

Impacts of the Cross-site Scripting Vulnerability

There are many impacts of an exploited XSS vulnerability. It ranges from Session Hijacking to the disclosure of sensitive data, CSRF attacks and more. The attacker can impersonate the victim and take over the account by exploiting a cross-site scripting vulnerability. It might even lead to code execution on the server if the victim has administrative rights. But it will depend on the application and the privileges of the account. To get more information on how a XSS vulnerability was used in a successful attack can read about the apache.org jira incident .

Preventing XSS Vulnerabilities

The most important thing in preventing cross-site scripting vulnerabilities is to apply a context dependent output encoding. In some cases it might be enough to encode the HTML special characters, such as opening and closing tags. In other cases, URL encoding is necessary if it is correctly applied.

Moreover, your inbuilt XSS filter, even in your most modern web browsers should not be seen as an alternative to sanitization. However, they cannot catch all kinds of cross-site scripting attacks. As a result, this will prevent some pages from loading correctly. Since the idea is to minimize the impact of existing vulnerabilities, a web browser’s XSS filter should only be a “second line of defense”.

Find Out the Right Types of SSL Certificate for Your Website

Find out the right types of SLL certificate fo your website

Since, Google cybercrime gets bigger and bigger nowadays, the way Google assesses a website is change. In fact, Google is among the most proactive, they give better rewards to sites whose adding SSL certificates (or HTTPS). This makes many SEO engineers put a good attention on SSL certificate for their better SEO service. But, you need to be more careful in choosing the right SSL certificate, as there are many types of SSL certificate. Each SSL types use the same standard encryption methods but each option has their own requirements and distinct characteristics.

Option #1. Single Domain

Single domain (or single-name) SSL certificates protect a single domain. This SSL type really works well for simple and straightforward content-based sites. These sites include B2B sites, e-commerce ones where all transactions occur on a single domain. Someone has to get an authenticated domain ownership when she/he wants to get a “Domain-validated”.

Option #2. Multi-Domain (SAN)

Multi-domain SSL certificates are also what they sound like. Multi-domain SSL certificates are also referred to as “SAN” (for Subject Alternative Names). With SAN and one multi-domain SSL certificate, it will cover a suite of sites. So, they provide flexibility for covering sites that might go away or not yet exist.

Option #3 Wildcard

If you want to cover all subdomains on a single root domain or host name, wildcard SSL certificates will be suitable for you. It uses an unsecure, content-driven ‘marketing’ site on the primary domain. Fortunately, this SSL’s type can run all purchase-related through a secure subdomain. With this single wildcard SSL certificate, you can simplify the mess, and it also protects the main site.

Option #4 Organization

Organization SSL certificates works to authenticate a company’s identity and information, such as the company’s primary address, and etc. You may think that this is similar to single domain. But in organization SSL certificates, you will get more content-based sites. By this, you don’t need to secure an e-commerce or payments component.

Moreover, you also will be asked to confirm and authenticate the other organization-related details as well.

Option #5 Extended

The last option, called as extended is better known as the most secure option. They do the extra organization validation bit by verifying the domain. It also double checks the legal corporation. It will also show a green address bar on most modern browsers for your troubles. In Chrome, you’ll also get the company name like this Twitter example below:

1

Credibility is what you’re paying for here. But, the secure connection uses on your site are that different than any other reputable SSL connection.

Hence, by selecting the right SSL certificate types, you’ll get a single certificate to purchase and set up to protect multiple different sites.

5 ways to make your site trustable

5-ways-to-make-your-site-trustable

Trust makes the audience wants to stay longer on your site. So, in this article, we are going to show you how to build trust upon your site. If you are web developers or web designers make sure you keep an eye on these five things.

  1. Design quality

Many people say that good appearance will give you good impression. This statement works the same with your website design. In order to receive user trustworthiness, one should have created a professional-looking design.

A professional design can be attained when your website is well structures and coherent. By this way, your user will find it easier to navigate around and find the information they need. Therefore, the navigation labels should be meaningful and easy for users to understand.

On the contrary, your site will be valued as unprofessional if a user cannot locate the page in 2-3 clicks. In addition, the user should also understand the website within that first 10 to 20 seconds.

Moreover, a design is considered as a good design when up to date and in line with your business type. Also be careful with any broken links, browser compatibility issues, typos and missing files. All of those stuffs can affect your user trustworthiness.

  1. Only Use High Quality Content

Content is also one of the important elements on a website. High quality content should be original and valuable; besides, it also needs to be accurate and up to date. Moreover, the right format for your content can come in all shapes and sizes. You can choose to use an image, video, or infographic to provide information to the reader. For example, you could use before-and-after photos to illustrate how good your service is. Somehow this kind of content works very well at gaining trust.

  1. Show Your Business Relationship

Showing recognition with other businesses, industry organizations, media, government and customers will elevate user’s trust. This is because users will see these relationships as a proof that your website is legitimate. Here are some business relationships that you can display on your site.

  • Testimonials from customers
  • Social media relationships
  • Accreditation, licenses, and awards
  • Review websites
  1. Customers Trust the Technical Aspects

Nowadays, online privacy and security becomes a great concerned, especially if the users are considering a purchase through the website. Here are some ways that you can use to build trust on your site technical aspects:

  • Use SSL when asking for sensitive information
    This technology will ensure that the user’s personal details are not intercepted by a third party.
  • Display trust seals and security certificates
    A trust seal is a 3rd party badge showing that the website is secure.
  • Inform the user that their personal information is safe
  • Have a policy for the handling of cookies
  1. Remove Anonymity

Be clear in providing contact forms, phone numbers, emails, social accounts, help desks, live chats and so on. Furthermore, you can also display your photos to reduce the level of uncertainty. By doing this, users will feel safe when visiting your site.