In November 2018, security researchers from Check Point made an interesting discovery about the wildly popular game “Fortnite” — the website was vulnerable to cross-site scripting attacks. Thanks to an old, unsecured webpage, researchers found out that potential hackers could gain unauthorized access to users’ accounts, in-game currency, and audio recording capabilities — all without ever needing their login information.

The cross-site scripting attacks that dominate headlines tend to be larger-profile cases with big-name companies; in reality, businesses of all sizes can fall victim to this kind of cyberattack. In fact, cross-site scripting attacks account for 31% of all attacks — making it the most common type of attack (followed by SQL injection at 20%).

If cybercriminals can easily gain access to such big companies and cause significant damage with a cross-site scripting attack, imagine what problems they could stir up for your small business. For that reason, it’s more crucial than ever for small business owners to proactively protect their websites and customers.

What Is a Cross-Site Scripting Attack?

When cybercriminals use cross-site scripting, they inject code on a site via form fields or other areas of user inputs in order to target website users. When the user’s browser executes this code, attackers can hijack user sessions, covertly track session data, or even display spam content on an otherwise legitimate site.

Almost three-quarters of websites have cross-site scripting vulnerabilities — with 424 vulnerable pages, on average. These numbers should be concerning for small business owners, especially considering the immense fallout that could occur due to a cross-site scripting attack.

The Impact of Cross-Site Scripting Attacks

Cybercriminals using a cross-site scripting attack to steal data, such as session cookies, can take over a user’s browsing session, allowing the cybercriminals to post on social media, initiate bank transfers, and make purchases on e-commerce websites, all without the user knowing.

The fact that cross-site scripting impacts the user directly makes this type of attack particularly damaging for businesses. If customers found out that your website had vulnerabilities that allowed cybercriminals to steal their data, they wouldn’t remain customers for long. In fact, research indicates that 65% of users who experience data theft while online will not return to the site.

Considering that a single vulnerability could have such a tremendous impact on your bottom line, it’s imperative to take the necessary steps now to prevent cross-site scripting attacks.

How to Prevent Cross-Site Scripting Attacks

The primary ingredient for cross-site scripting attacks is outdated software — including content management system core files, plug-ins, and themes. Input fields are often overlooked as well because many small businesses don’t have in-house security personnel to ensure the right level of security is factored in when building out these fields. 

Cybercriminals have caught on that small businesses are more vulnerable, and it’s estimated that 43% of cyberattacks now affect small businesses. What’s more, 64% of those attacks come through web applications like cross-site scripting vulnerabilities. To prevent your business from becoming the next victim, rely on the following four cross-site scripting prevention techniques.

1. Keep software updated. Cybercriminals and developers are in a constant arms race, with the former hunting tirelessly for vulnerabilities and the latter working to patch them. If you aren’t judicious about updating software or applications, you give cybercriminals the chance to take advantage of any known vulnerabilities.

It’s best to review your systems and web applications regularly to ensure they’re updated. Also, your business should remove applications you don’t need as an added security measure. Reviewing all others every few months will help ensure your applications don’t have vulnerabilities that attackers can exploit.

2. Sanitize input fields. Input fields are a common gateway for cross-site scripting attacks. Sanitizing an input field — or validating that the data is in the proper form — ensures that only expected content can be submitted by your visitors. Predefining what a user can input (e.g., only allowing your fields to accept numbers, hyphens, and parentheses for a phone number) helps prevent a cross-site scripting attack on your site. To protect your site visitors, all input fields should be sanitized regularly.

3. Use client- and server-side form validation. Validating all form submissions allows you to check the data on a form before it’s accepted by the server. Typically, client-side form validation is done by utilizing JavaScript to confirm that only data deemed “acceptable” is being used before submitting it to the web server. As an additional safeguard, server-side validation should always be used in tandem with client-side validation. Server-side validation means the server also sanitizes the data before evaluating and accepting it.

4. Use a web application firewall. As cyberattacks become more advanced and prevalent, a good best practice is to use a WAF that can filter bad bots and other malicious threats away from your website. Think of a WAF as the gatekeeper to your website, preventing cross-site scripting attacks before they’re executed. When shopping for a WAF, look for a provider that protects against the latest and the most common types of attacks.

With cyberattacks on the rise, a few steps toward cross-site scripting prevention go a long way. By taking the above measures to shore up your defenses, you’re demonstrating a commitment to company and customer data that will produce big benefits in the long run.

Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 12 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.