eTrust Pro Website Security Tips
The biggest security threat to your website are the forms you use to collect user information. Follow these guidelines to secure your forms and server against the most common attacks.
You may need your Webmaster to help you implement these changes, but it will not be hard for them to do and it will make your site and your users information safer.
Using the eTrust Pro website trust seal and going by these best practices will show your customers you care about their privacy and personal information, which will increase your sales and allow you to sleep better at night knowing eTrust Pro is working for you.
What Is a XSS (Cross-Site Scripting) Attack?
70% of all vulnerabilities are Cross-Site Scripting issues. When an attacker introduces malicious script into a dynamic URL or form, a cross-site scripting (XSS) attack then occurs. It can display an alert window, do redirects, grab cookies, and do SQL injections.
Attackers can use your online forms to inject scripting that will execute or even worse access your database to steal user information or install trojans on visitors to your website. It's actually quite easy to stop these kind of attacks from happening.
Have your website programmer block or filter special characters from being used in the forms on your website and always filter input saved to your databases.
The filter will clean all information submitted to make sure any XSS attempt will not execute properly and in return your website and users information will be safer.
Guard against XSS (Cross Site Scripting) attacksSimple test for your site using a basic XSS attempt :
<script>alert('Danger - Exploit Found')</script>
Copy and paste the code above into any of your website forms and submit them. If you see the message "Danger - Exploit Found" then you are vulnerable to XSS attacks. Have your website programmer add filters to filter out the special HTML characters below.
Copy and paste the code above after a dynamic URL at your website and see if it excecutes. If you see the message "XSS" or receive a 500 server error then your site is vulnerable to XSS attacks. Have your website programmer add filters to filter out the special HTML characters below.
Special Characters To Filter Out Of Your Forms:< > " & – ( ) ' ; + - :
Areas to look for possible vulnerabilities :
- Feedback Forms
- Shopping Cart Forms
- dynamic URLs with parameters passed through
Following this as a guide will help you secure your website from cross site scripting attacks. If you would like to read more in depth examples on XSS attacks OWASP has a nice article on the subject.