Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Previous Page Previous Page  Next Page Next Page

How secure is your Recruitment website? Part 5 - Cross-site scripting (XSS)

Posted By: Dmitry Kulshitsky, 8:00am Tuesday 30 March 2010    Print Article

According to OWASP, cross-site scripting (XSS) flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

XSS is the most prevalent web application security flaw. But what does it mean? Let’s have a look!


How does it work?


XSS attack involves three parties – the attacker, the victim (client) and the web site. A web site has an XSS flaw when it includes attacker supplied data in a page sent to the victim’s browser without properly validating or escaping that content. Attacker supplied data can be a piece of HTML or JavaScript code (hence – scripting). This code will be embedded into the web page by the vulnerable web application and sent to the victim’s browser.

Please note that the affected web site is NOT hacked as such. None of the web pages were modified by the attacker and all information in your database is still intact. What attacker controls is the content that gets sent back to the victim.


Consider the following scenario


You have a web page that is meant to welcome a logged in user:

http://www.YourRecruitmentWebSite.com/loggedIn.asp?name=Bill

Inside this page you have a piece of code that reads the “name” parameter from the query (URL) string and prints it back to the user:

Welcome, <%=Request.QueryString(“name”)%>

In our case the output that victim’s browser receives will be:

Welcome, Bill

So far, so good...But what will happen if we modify the name parameter to look something like this:

http://www.YourRecruitmentWebSite.com/loggedIn.asp?name=<script>alert(‘xss’);</script>

In this case the output will be:

Welcome, <script>alert(‘xss’);</script>

The victim’s browser would interpret this response as an HTML page containing a piece of JavaScript code. This JavaScript will be executed by the victim’s browser and the victim will see a popup window with the word ‘xss’ in it.

A piece of JavaScript supplied by the attacker was embedded into the web page by the vulnerable web application and sent back to the victim.

This is a cross-site scripting attack in its simplest form.


What is the impact?

An attacker can use XSS to do the following:
  • Deface web sites
  • Insert malicious content
  • Redirect users to other sites
  • Hijack user sessions (by stealing cookies/session information)
The most common method of using XSS involves tricking a victim into opening a maliciously coded page, which uses JavaScript code to open a vulnerable HTML page on the user’s local computer – often located in the directory where cached pages are stored, or perhaps a pop-up window – enabling the script to run commands with the same level of permission as the user. With this type of access, a hacker can easily corrupt a user's data, steal personal information, or take control of the user’s computer

E.g. an attacker can send a phishing e-mail to your clients purporting to be from your company asking them to change their passwords. This e-mail will contain a link to your web site with some extra code that will (by means of XSS) capture user name and password and quietly send it to the attacker’s web site.


Am I vulnerable to XSS?

Information used by your web application can arrive from multiple trusted and untrusted sources:
  • URL (query string) parameters
  • Form fields
  • HTTP headers
  • Cookies
  • Database tables
  • Web services
  • Local and remote files
If you don’t validate user input and don’t encode (‘escape’) output you are most likely vulnerable to XSS.

There are many free and commercial tools available that can assist you in finding XSS problems automatically. You can use a free version of the Acunetix Web Security Scanner can scan your web site for XSS related issues.


How do I prevent XSS?

It is quite easy to prevent XSS issues from happening. All input data has to be verified and validated to be safe. Output needs to be properly encoded (‘escaped’) before it is included in the resulting output.

Escaping is the primary means to make sure that untrusted data can't be used to convey an injection attack. There is no harm in escaping data properly - it will still render in the browser properly. Escaping simply lets the interpreter know that the data is not intended to be executed, and therefore prevents attacks from working.

Don’t reinvent the wheel. All major platforms have standard security libraries that you should use. E.g. if your web site is Microsoft .Net based then consider using Microsoft AntiXSS library.

Guest blog post by Dmitry Kulshitsky, Security Architect at SEEK.






Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-5-cross-site-scripting-xss-a346.html

Article Tags: cross site scripting xss insecure recruitment websites job board security how secure is your recruitment website defacement dmitry kulshitsky untrusted data

Comments View Comments (0)



Jobvite Share

Posted By: Thomas Shaw, 11:40am Monday 29 March 2010    Print Article

Jobvite has released a new beta site to allow you to easily share your job on social networking sites and with your own friends in a few simple steps. The process takes less than 60 seconds, and can integrate with your Facebook, Linkedin, Twitter and email account providers. It doesn't even need to be your own job. If you find a job you want to share, you can shorten the URL via the site and share it with your own friends.

The first step is to copy the URL (either the full job ad or application form address) into the form. It will then create a unique "Jobvite Link" you can use to promote and track the click through statistics. Once you have created your Jobvite link, you add information about the job. ie job title, company, location and job description. These details will be used to intelligently match your job with your own contact/friends lists.

The integration with the social networking sites reminds me of a previous article I wrote last year title Sharing Jobs on Social Networks using JobGenie except with this version of Jobvite, the applications are not tracked through the system.

The site is very simple and easy to use. If your current multi-posting/recruitment system does not offer the sharing functionality, perhaps you should start looking for another provider? Integrating with social networks is not rocket science.








Article URL: http://www.recruitmentdirectory.com.au/Blog/jobvite-share-a345.html

Article Tags: jobvite jobvite.com share.jobvite.com social networking twitter facebook linkedin job ads multiposting share jobs on social networks click tracking email address url shortner

Comments View Comments (1)



Australian HR Tech Report

Posted By: Thomas Shaw, 11:17am Monday 29 March 2010    Print Article

Navigo has just released the first edition of the Australian HR Tech Report. The report analyses Australian HRIS adoption, satisfaction with system implementations, motivators and roadblocks for systems improvement. One of the areas I was interested in was section on Applicant Tracking/Recruitment (ATS).


You can download the full report here.

Applicant tracking/recruitment stands-out as the solution area where organisations most commonly adopt stand-alone systems. HRIS based systems were less common.

Applicant tracking/recruitment is also the area with the largest differential in satisfaction amongst all the solution areas surveyed. Satisfied or very satisfied results for those employing stand-alone software rated 70% versus 15% for those with manual systems.

Despite being the second most common, manual systems are deeply dissatisfactory compared to stand-alone software. The large group of organisations with manual recruiting processes will be able to achieve a very noticeable improvement through adopting a stand-alone system.






Article URL: http://www.recruitmentdirectory.com.au/Blog/australian-hr-tech-report-a344.html

Article Tags: hr technology hris australian hr technology report navigo hrtechreport.com.au applicant tracking system recruitment system navigo.com.au human resources information systems information systems

Comments View Comments (0)



PHP Code Snippet - Delete Batch Uploaded Job Files

Posted By: Thomas Shaw, 3:12pm Thursday 25 March 2010    Print Article

If you manage any type of job board, there is a high chance you have some sort of 3rd party integration with your recruitment database software, applicant tracking system or multi posting system. This PHP code snippet will help developers who accept batch job uploaded files via FTP.

Over time, if your job board receives a new upload file every hour you will end up with hundreds (if not thousands) of old files taking up space on your server. For example, if you receive a new file every hour that is 250kb, every day you will add 5.85mb of files. After 7 days this would have grown to 41mb.

You can manage this by logging into your system every week, and deleting the old files manually which takes time or automate the process.

This code below cycles through a specified directory, sorts the oldest files, and if there are more files in the directory than specified, it will remove the oldest file.

If you have a better solution, let me know.

// KEEP THE LATEST 5 FILES, DELETE THE OLD FILES

clearstatcache();
$filestats1 = array();
$directoryname = $rootpath.'/batchupload';
$numberfiles = 5;

if($dir = @opendir($directoryname))
  {
    while (false !== ($file = readdir($dir)))
    {
      if(substr($file,0,1) != '.') // specify filename extension
      {
        if($stats = @stat($directoryname.$file))
        {
          $filestats1[] = array(
            'file'  => $file,
            'mtime' => $stats['mtime'],
            'ctime' => $stats['ctime'],
            'error' => false);
        } else {
          $filestats1[] = array('file' => $file, 'error' => true);
        } // end if
      } // end while
    }  // end while
	
    if(!empty($filestats1) && is_array($filestats1))
    {
      @sort($filestats1);
	  echo 'FILES IN FOLDER - '.count($filestats1).'<br />';
	  $ii = (count($filestats1) - $numberfiles);
      for($i = 0; $i < $ii; $i++)
      {
      echo 'DELETED OLD FILE - '.$filestats1[$i]['file'].'<br />';
	  @unlink($directoryname.$filestats1[$i]['file']);
	  } //end for 
    } // end if
  }  // end if
  
// END 



Article URL: http://www.recruitmentdirectory.com.au/Blog/php-code-snippet-delete-batch-uploaded-job-files-a343.html

Article Tags: php code snippet job board job board software bulk jobs ftp upload recruitment database software applicant tracking system multi posting system batch job upload

Comments View Comments (1)



Cut the fat. Application Form Filename Structure #2

Posted By: Thomas Shaw, 12:26am Thursday 25 March 2010    Print Article

Why would you make a candidate rename the filename to reflect the source when applying for a job? Are recruiters this lazy and technology deprived? Come on, let’s cut the fat and improve the candidate’s experience.

This is not the first time I have spoken out about this issue. Have a look at another example from last year.




Article URL: http://www.recruitmentdirectory.com.au/Blog/cut-the-fat-application-form-filename-structure-2-a342.html

Article Tags: recruitment technology online recruitment unique filename application form filename conversion online application form cut the fat application form filename structure

Comments View Comments (0)



How to confuse a job seeker

Posted By: Thomas Shaw, 11:42am Monday 22 March 2010    Print Article

Step 1. Create a confusing location structure.
Step 2. No Step 2, The candidate has left your site.














Article URL: http://www.recruitmentdirectory.com.au/Blog/how-to-confuse-a-job-seeker-a341.html

Article Tags: online recruitment job board location structure classification structure

Comments View Comments (6)



You know how much I feel like writing an advert on a friggin Sunday afternoon...

Posted By: Thomas Shaw, 11:12am Monday 22 March 2010    Print Article

If you are unsure what "friggin" means, have a read of the Urban Dictionary.




Article URL: http://www.recruitmentdirectory.com.au/Blog/you-know-how-much-i-feel-like-writing-an-advert-on-a-friggin-sunday-afternoon-a340.html

Article Tags: funny job ads job board mining manager job ad of the month emsjobs.com.au

Comments View Comments (0)



Recruiting Analytics that Matter

Posted By: Thomas Shaw, 1:43pm Wednesday 17 March 2010    Print Article

Newton Software has put together a simple guide to getting started with recruiting analytics. The recruiting analytics that you decide to capture should answer the most common questions that arise in recruiting.

  1. Measure what matters
  2. Measure metrics that answer questions
Focus on capturing information that will help you solve issues and bottlenecks before they become bigger problems. Performance metrics should allow you to be proactive and should allow you to answer questions in real-time. When considering what to measure ask the following questions.
  • Are we receiving applications for all our open jobs?
  • What are our best sources of applicants?
  • What happens to the applicants we receive?
  • How long does it take us to move applicants through our process?
  • Do we have any missed opportunities?




Article URL: http://www.recruitmentdirectory.com.au/Blog/recruiting-analytics-that-matter-a339.html

Article Tags: analytics online recruitment job board applicant tracking system recruitment analytics statistics newton software newtonsoftware.com recruitment software

Comments View Comments (0)



How long do you keep the candidates application for?

Posted By: Thomas Shaw, 5:37pm Tuesday 16 March 2010    Print Article

While researching application forms today, I came across an question that I had to share. It's one of these questions which no one really talks about. "How long will you permit us to store your personal information in the database?"

It's good to see a recruiter asking the candidate upfront instead of hiding these details in complex privacy policy documents. Please ensure you check your own country/state laws regarding the collection, storage and destruction of business records.




Article URL: http://www.recruitmentdirectory.com.au/Blog/how-long-do-you-keep-the-candidates-application-for-a338.html

Article Tags: application form candidate privacy candidate details personal information form design privacy policy business records

Comments View Comments (0)



Are your job ads mobile tagged? 2D Barcodes - QR Code & Microsoft Tag

Posted By: Thomas Shaw, 7:45am Friday 05 March 2010    Print Article

Have you ever noticed weird barcodes printed in the newspaper, on outdoor advertising posters or on the back of food packages? Don't panic, there was no stuff up at the printers. These barcodes are there for a reason…for YOU to scan over with your mobile phone and find out more information.


With the number of internet enabled mobile phones on the rise in Australia, are you taking full advantage of mobile marketing?

Mobile tagging is the process of providing data on mobile devices, commonly through the use of data (such as a URL) encoded in a two-dimensional barcode, meant to be read and inputted using a camera phone.

By creating a mobile tag you can create unlimited possibilities to transform physical media (print advertising, billboards, product packages, information signs, in-store merchandising, job ads, business cards etc) into live measurable links to easily access information online. These tags can allow us to measure the ROI of the marketing spend $ and allow us to measure when (and potentially where) users are responding to job ads across all media with detailed impression activity.





One of the most popular 2D barcodes is QR codes (Quick Response Code), which are a two-dimensional matrix barcode that can contain a limited amount of data. QR Codes can be easily created online via a website or automatically through an API.

If I was walking past a shop window and noticed they were advertising a job; instead of trying to remember all the details on job ad, you could scan the barcode, save it for later or send it to your friends. In the example shown below, RECRUIT2retail have combined the specific job title and full ad/application form URL into the QR Code. Try scanning it on your mobile phone and see what it says.



Unlike most popular 2D barcodes, which use black-and-white square pixels, the Microsoft Tag format - (High Capacity Color Barcode or HCCB) is based on colors in a triangle-based arrangement. The QR Code stores the data within the pixel code, whereas the Microsoft tag only contains a short URL. When you scan the tag it redirects you to that URL which contains the full tag information.



Unfortunately with any technology product, problems do exist. The barcode needs to be printed big enough for mobile phones to scan the image. Your mobile phone also needs to have specific reader software downloaded and installed. While the use of mobile tagging is not high in Australia, how can YOU make your marketing stand out from the crowd?





Article URL: http://www.recruitmentdirectory.com.au/Blog/are-your-job-ads-mobile-tagged-2d-barcodes-qr-code-and-microsoft-tag-a337.html

Article Tags: qr code barcode microsoft tag mobile marketing quick responce codes recruit2retail recruit2retail.com.au job ads mobile recruiting iphone qr code reader interactive job ads interactive marketing digital marketing data matrix hccb high capacity color barcode recruitment marketing 2d barcodes recruitment metrics marketing roi

Comments View Comments (0)


Previous Page Previous Page  Next Page Next Page


Random Blog Articles

Wasted print space in MyCareer
Published: 4:25pm Sunday 15 March 2009

Monkey Business
Published: 9:17pm Sunday 13 February 2011

Recruiting Analytics that Matter
Published: 1:43pm Wednesday 17 March 2010

Push Notifications for Mobile Recruitment/HR Apps
Published: 8:00am Monday 17 January 2011

I love RSS
Published: 3:19pm Wednesday 15 September 2010