This and the next series of blog entries will highlight the Top 10 most critical web application security vulnerabilitiesidentified by the Open Web Application Security Project (OWASP).

You can use OWASP's WebGoatto learn more about the OWASP Top Ten security vulnerabilties. WebGoat is an example web application, which has lessons showing "what not to do code", how to exploit the code, and corrected code for each vulnerability.

http://blogs.sun.com/carolmcdonald/resource/300px-WebGoat-Phishing-XSS-Lesson.JPG


You can use the OWASP Enterprise Security API Toolkit to protect against the OWASP Top Ten security vulnerabilties.

http://blogs.sun.com/carolmcdonald/resource/550px-Esapi-before-after.JPG

The ESAPI Swingset is a web application which demonstrates the many uses of the Enterprise Security API.

http://blogs.sun.com/carolmcdonald/resource/swingset.jpg

OWASP Top 10 number 1: XSS = Cross Site Scripting

Cross Site Scripting (XSS) is one of the most common security problems in today's web applications. According to the SANS Top Cyber Security Risks, 60% of the total attack attempts observed on the Internet are against Web applications and SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered. You are at risk of an XSS attack any time you put content that could contain scripts from someone un-trusted into your web pages.
There are 3 types of cross site scripting:
  • Reflected XSS: is when an html page reflects user input data, e.g. from HTTP query parameters or a HTML form, back to the browser, without properly sanitizing the response. Below is an example of this in a servlet:
        
     out.writeln(