According to OWASP, cross-site scripting (XSS) flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
XSS is the most prevalent web application security flaw. But what does it mean? Let’s have a look!
How does it work?
XSS attack involves three parties – the attacker, the victim (client) and the web site. A web site has an XSS flaw when it includes attacker supplied data in a page sent to the victim’s browser without properly validating or escaping that content. Attacker supplied data can be a piece of HTML or JavaScript code (hence – scripting). This code will be embedded into the web page by the vulnerable web application and sent to the victim’s browser.
Please note that the affected web site is NOT hacked as such. None of the web pages were modified by the attacker and all information in your database is still intact. What attacker controls is the content that gets sent back to the victim.
Consider the following scenario
You have a web page that is meant to welcome a logged in user:
The victim’s browser would interpret this response as an HTML page containing a piece of JavaScript code. This JavaScript will be executed by the victim’s browser and the victim will see a popup window with the word ‘xss’ in it.
A piece of JavaScript supplied by the attacker was embedded into the web page by the vulnerable web application and sent back to the victim.
This is a cross-site scripting attack in its simplest form.
What is the impact?
An attacker can use XSS to do the following:
Deface web sites
Insert malicious content
Redirect users to other sites
Hijack user sessions (by stealing cookies/session information)
The most common method of using XSS involves tricking a victim into opening a maliciously coded page, which uses JavaScript code to open a vulnerable HTML page on the user’s local computer – often located in the directory where cached pages are stored, or perhaps a pop-up window – enabling the script to run commands with the same level of permission as the user. With this type of access, a hacker can easily corrupt a user's data, steal personal information, or take control of the user’s computer
E.g. an attacker can send a phishing e-mail to your clients purporting to be from your company asking them to change their passwords. This e-mail will contain a link to your web site with some extra code that will (by means of XSS) capture user name and password and quietly send it to the attacker’s web site.
Am I vulnerable to XSS?
Information used by your web application can arrive from multiple trusted and untrusted sources:
URL (query string) parameters
Form fields
HTTP headers
Cookies
Database tables
Web services
Local and remote files
If you don’t validate user input and don’t encode (‘escape’) output you are most likely vulnerable to XSS.
There are many free and commercial tools available that can assist you in finding XSS problems automatically. You can use a free version of the Acunetix Web Security Scanner can scan your web site for XSS related issues.
How do I prevent XSS?
It is quite easy to prevent XSS issues from happening. All input data has to be verified and validated to be safe. Output needs to be properly encoded (‘escaped’) before it is included in the resulting output.
Escaping is the primary means to make sure that untrusted data can't be used to convey an injection attack. There is no harm in escaping data properly - it will still render in the browser properly. Escaping simply lets the interpreter know that the data is not intended to be executed, and therefore prevents attacks from working.
Don’t reinvent the wheel. All major platforms have standard security libraries that you should use. E.g. if your web site is Microsoft .Net based then consider using Microsoft AntiXSS library.
Guest blog post by Dmitry Kulshitsky, Security Architect at SEEK.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Jobvite has released a new beta site to allow you to easily share your job on social networking sites and with your own friends in a few simple steps. The process takes less than 60 seconds, and can integrate with your Facebook, Linkedin, Twitter and email account providers. It doesn't even need to be your own job. If you find a job you want to share, you can shorten the URL via the site and share it with your own friends.
The first step is to copy the URL (either the full job ad or application form address) into the form. It will then create a unique "Jobvite Link" you can use to promote and track the click through statistics. Once you have created your Jobvite link, you add information about the job. ie job title, company, location and job description. These details will be used to intelligently match your job with your own contact/friends lists.
The integration with the social networking sites reminds me of a previous article I wrote last year title Sharing Jobs on Social Networks using JobGenie except with this version of Jobvite, the applications are not tracked through the system.
The site is very simple and easy to use. If your current multi-posting/recruitment system does not offer the sharing functionality, perhaps you should start looking for another provider? Integrating with social networks is not rocket science.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Michelle Rea (3:42pm Monday 19 April 2010)
Has anybody been using this service and if yes, what response have you had and do you have any thoughts to share?
Navigo has just released the first edition of the Australian HR Tech Report. The report analyses Australian HRIS adoption, satisfaction with system implementations, motivators and roadblocks for systems improvement. One of the areas I was interested in was section on Applicant Tracking/Recruitment (ATS).
Applicant tracking/recruitment stands-out as the solution area where organisations most commonly adopt stand-alone systems. HRIS based systems were less common.
Applicant tracking/recruitment is also the area with the largest differential in satisfaction amongst all the solution areas surveyed. Satisfied or very satisfied results for those employing stand-alone software rated 70% versus 15% for those with manual systems.
Despite being the second most common, manual systems are deeply dissatisfactory compared to stand-alone software. The large group of organisations with manual recruiting processes will be able to achieve a very noticeable improvement through adopting a stand-alone system.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
If you manage any type of job board, there is a high chance you have some sort of 3rd party integration with your recruitment database software, applicant tracking system or multi posting system. This PHP code snippet will help developers who accept batch job uploaded files via FTP.
Over time, if your job board receives a new upload file every hour you will end up with hundreds (if not thousands) of old files taking up space on your server. For example, if you receive a new file every hour that is 250kb, every day you will add 5.85mb of files. After 7 days this would have grown to 41mb.
You can manage this by logging into your system every week, and deleting the old files manually which takes time or automate the process.
This code below cycles through a specified directory, sorts the oldest files, and if there are more files in the directory than specified, it will remove the oldest file.
If you have a better solution, let me know.
// KEEP THE LATEST 5 FILES, DELETE THE OLD FILES
clearstatcache();
$filestats1 = array();
$directoryname = $rootpath.'/batchupload';
$numberfiles = 5;
if($dir = @opendir($directoryname))
{
while (false !== ($file = readdir($dir)))
{
if(substr($file,0,1) != '.') // specify filename extension
{
if($stats = @stat($directoryname.$file))
{
$filestats1[] = array(
'file' => $file,
'mtime' => $stats['mtime'],
'ctime' => $stats['ctime'],
'error' => false);
} else {
$filestats1[] = array('file' => $file, 'error' => true);
} // end if
} // end while
} // end while
if(!empty($filestats1) && is_array($filestats1))
{
@sort($filestats1);
echo 'FILES IN FOLDER - '.count($filestats1).'<br />';
$ii = (count($filestats1) - $numberfiles);
for($i = 0; $i < $ii; $i++)
{
echo 'DELETED OLD FILE - '.$filestats1[$i]['file'].'<br />';
@unlink($directoryname.$filestats1[$i]['file']);
} //end for
} // end if
} // end if
// END
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Why would you make a candidate rename the filename to reflect the source when applying for a job? Are recruiters this lazy and technology deprived? Come on, let’s cut the fat and improve the candidate’s experience.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Another classic I see a lot is having an enormous location list that tries to encompass every location on the planet, when the agency/site only actually has jobs in one corner of one country.
Most of the emails I receive from job seekers about job hunting say they want locations on adverts as they think the advertiser is deceiving if nothing is listed. Is it a case of be careful what you wish for!
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Newton Software has put together a simple guide to getting started with recruiting analytics. The recruiting analytics that you decide to capture should answer the most common questions that arise in recruiting.
Measure what matters
Measure metrics that answer questions
Focus on capturing information that will help you solve issues and bottlenecks before they become bigger problems. Performance metrics should allow you to be proactive and should allow you to answer questions in real-time. When considering what to measure ask the following questions.
Are we receiving applications for all our open jobs?
What are our best sources of applicants?
What happens to the applicants we receive?
How long does it take us to move applicants through our process?
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
While researching application forms today, I came across an question that I had to share. It's one of these questions which no one really talks about. "How long will you permit us to store your personal information in the database?"
It's good to see a recruiter asking the candidate upfront instead of hiding these details in complex privacy policy documents. Please ensure you check your own country/state laws regarding the collection, storage and destruction of business records.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Have you ever noticed weird barcodes printed in the newspaper, on outdoor advertising posters or on the back of food packages? Don't panic, there was no stuff up at the printers. These barcodes are there for a reason…for YOU to scan over with your mobile phone and find out more information.
Mobile tagging is the process of providing data on mobile devices, commonly through the use of data (such as a URL) encoded in a two-dimensional barcode, meant to be read and inputted using a camera phone.
By creating a mobile tag you can create unlimited possibilities to transform physical media (print advertising, billboards, product packages, information signs, in-store merchandising, job ads, business cards etc) into live measurable links to easily access information online. These tags can allow us to measure the ROI of the marketing spend $ and allow us to measure when (and potentially where) users are responding to job ads across all media with detailed impression activity.
One of the most popular 2D barcodes is QR codes (Quick Response Code), which are a two-dimensional matrix barcode that can contain a limited amount of data. QR Codes can be easily created online via a website or automatically through an API.
If I was walking past a shop window and noticed they were advertising a job; instead of trying to remember all the details on job ad, you could scan the barcode, save it for later or send it to your friends. In the example shown below, RECRUIT2retail have combined the specific job title and full ad/application form URL into the QR Code. Try scanning it on your mobile phone and see what it says.
Unlike most popular 2D barcodes, which use black-and-white square pixels, the Microsoft Tag format - (High Capacity Color Barcode or HCCB) is based on colors in a triangle-based arrangement. The QR Code stores the data within the pixel code, whereas the Microsoft tag only contains a short URL. When you scan the tag it redirects you to that URL which contains the full tag information.
Unfortunately with any technology product, problems do exist. The barcode needs to be printed big enough for mobile phones to scan the image. Your mobile phone also needs to have specific reader software downloaded and installed. While the use of mobile tagging is not high in Australia, how can YOU make your marketing stand out from the crowd?
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Previous Page Next Page 
In this case the output will be:
View Comments (0)
