The technique works equally well over SSL, and so offers fraudsters the enticing opportunity of having a phishing attack delivered over SSL with the attacker’s code being served as part of a url from the bona fide bank’s own secure server. Further, if the vulnerable site uses cookies, it may be possible for the fraudster to steal the user’s session cookie and hence hijack the user’s secure session.

Greenhalgh notes that the issue is not a new vulnerability, but a failure of very widely trusted organisations to defend their customers against what should be well understood risks. Web programmers can prevent most cross-site scripting attacks by validating form input, and ensuring that all user data is correctly encoded before it is displayed or stored. “Never trust user input” is a basic security tenet designed to reduce the risk posed by web forms.

That said, carelessness is human nature, even amongst developers of banking systems. Although cross-site scripting has been a well known technique for over four years, it is an easy mistake for programmers to make, and can be an awkward one to test thoroughly. Moreover the need for iterative refinements to web based systems is much greater than the pace of development to which banks were previously accustomed, and the opportunities for them to introduce errors are consequently greater.

While it is possible to automate testing for system service vulnerabilities, application testing requires expert human involvement for a reasonable degree of assurance. All other things being equal, a specialist security testing consultant will have a natural advantage over an equally capable person working in-house as [s]he will typically test applications from many different organisations, and is in a position to abstract common themes from the wide range of systems they test and the mistakes they encounter – while the same person working in house at a bank would probably test only a single system, or systems based on a single technology.

Moreover, relying on your own testing is akin to marking your own examination paper. The most prudent organisations, even if they are confident that their systems have been written robustly and tested meticulously, will still have their systems tested by an external organisation, which at a minimum delivers an experienced and professional second opinion, and at best saves the day. If there is one single thing that would improve the security of web based banking systems it would be for each country’s banking regulators to mandate this approach, rather than leave external testing to the discretion of each individual bank.

Declaration of interest: Netcraft provides exactly this type of application testing.