How to check your search box for XSS exploit vunerability

19 Jun, 2008 | Posted in: Website Security | 1 Comments

Cross-site scripting (XSS) is a type of website vulnerability which allows code to be injection by malicious web users into the web pages viewed by other users.

According to Google:

Cross-site scripting (aka XSS) is the term used to describe a class of security vulnerabilities in web applications. An attacker can inject malicious scripts to perform unauthorized actions in the context of the victim's web session. Any web application that serves documents that include data from untrusted sources could be vulnerable to XSS if the untrusted data is not appropriately sanitized.

Webmasters should always play it safe and check for XSS holes on their site, especially when using freeform text input, which are commonly used as search boxes. Even big sites can have these issues with XSS and escaping user input.

If you noticed your Google rankings dropping, you might consider doing a few searches on your site using Google to see if anyone has injected spammy or adult content on your site.

For example, if your website is example.com.au, run a few search queries such as:

[site:example.com.au porn]
[site:example.com.au viagra]

Recently, the Google security blog has written about XSS holes and exploits, and it's worth a quick read to to find out how you can protect yourself.

From the article:

The general principle behind preventing XSS is the proper sanitization (via, for instance, escaping or filtering) of all untrusted data that is output by a web application. If untrusted data is output within an HTML document, the appropriate sanitization depends on the specific context in which the data is inserted into the HTML document. The context could be in the regular HTML body, tag attributes, URL attributes, URL query string attributes, style attributes, inside JavaScript, HTTP response headers, etc.

Further Reading

Quick security checklist for webmasters

Cleaning up a hacked site