In two recent cyberattacks against an airline and a large e-commerce ticketing company, thousands of customers had their personal and financial data compromised through a malicious strategy called cross-site scripting (XSS).
XSS isn’t new, but its impact and visibility are both growing. The most famous recent example is Magecart, a group linked to both of the attacks referenced above. Web applications are a key point of vulnerability for data breaches. Here’s what you need to know to protect them from XSS attacks.
What is cross-site scripting (XSS), and why is the problem getting worse?
An XSS attack involves an attacker injecting malicious scripts into a web page or application. When the victim visits the page or application, the code is executed. For example, Magecart inserts scripts that skim payment card data when the user makes a purchase.
The fact is, protecting a website just isn’t as simple as it used to be. Web applications are increasingly targeted due to their complexity and how difficult they are to monitor. It’s great that organizations can now give their web and mobile visitors a rich, varied and interactive experience that spans multiple devices, but this ability makes things far more complicated for the IT security team. Gone are the days when locking down the server was enough—now, you also have to pay attention to browsers, web and mobile applications, and all of their components.
There are two primary methods of deterring XSS attacks, but they each come with their own challenges and shortcomings.
 Attacks){kind=link}