January 31, 2011, 11:23AM
Free Service Targets XSS Bugs in Java Apps
Comment 
Cross-site scripting bugs have been a major problem for Web site operators for years now, and while their causes and their solutions are both well-understood, they're still quite pervasive. But a new free service is aiming to help site owners avoid the serious compromises that can follow an attack on an XSS flaw.
On Monday, software security firm Veracode released a new free service that is designed to enable Web site owners to scan their Java applets for XSS bugs. Site owners can upload their applets to Veracode's servers and the company will scan the application for existing XSS vulnerabilities.
The new free service only is available for Java applications and will only look for XSS flaws, the company said. The service is a small subset of the larger binary-analysis services that Veracode performs on a paid basis. Those scans look for a multitude of other types of flaws in a variety of application types.
Although it's a simple and common type of flaw, cross-site scripting has become a serious issue in Web applications on all different kinds of sites. Because it's so pervasive and relatively easy to exploit, XSS also is a favorite vector for attackers looking for a quick way into a given site. OWASP lists XSS as the number two application security risk in its 2010 Top 10 list.
Veracode's new service allows users to upload one binary for free.
“At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are those we describe as ’trivial’ and can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor,” Chris Eng, senior director of security research at Veracode, said in a statement. “Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.”
Recommended Reads
Commenting on this Article is closed.
Today's Most Popular
- Why Google Won't Protect You From Big Brother
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Iranian Students Claim to have Stolen Thousands of Researcher's Records
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
Most Commented Stories
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (8)
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (7)
-
Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends (2)
-
New P2P Zeus Variant Targets Popular Sites with Bogus Offers (1)
-
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you (1)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 62
Follow Threatpost
 |  |  |  |
| Tumblr |
