Veracode has recently announced the launch of Veracode Free XSS Detection Service. The service is designed to help developers detect and eliminate cross-site scripting (XSS) errors that, according to Veracode, are responsible for more than half of all Web application vulnerabilities.
According to OWASP, a project that tracks application security, XSS flaws occur whenever an application takes untrusted data and sends it to a browser without proper validation. XSS allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface websites, or redirect the user to malicious sites.
Veracode said the service removes perceived complexity from the detection process, and that with access to proper education and training, developers can avoid introducing the flaws into software in the first place.
Chris Eng, senior director of security research at Veracode, said, “We see thousands—sometimes tens of thousands—of XSS vulnerabilities a week. Many are those we describe as ‘trivial’ and can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor.
“Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace and others. Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.”
To use the service, developers sign up for an account and submit their Java application, supplying metadata such as the name of the application and build version. The archives are encrypted in transit and on Veracode servers. The Veracode platform pre-scans the archive to ensure the code is scannable for XSS errors. Once this pre-scan is complete, begin the scan. The service delivers a report via e-mail with the location of the problem and remediation recommendations.
Veracode customers also have complimentary access to the company’s XSS eLearning courses.