Re: [WEB SECURITY] Cross Site Scripting

["James Landis" <jcl24@xxxxxxxxxxx>]

Several people have mentioned now that input validation is the
solution to cross-site scripting problems. I'm not saying that input
validation isn't a great idea. However, one look at RSnake's XSS cheat
sheet should send any sane developer screaming for the hills with that
approach. It's hard enough trying to write a filter for just one of
those variants while keeping in mind the character requirements for
the field, let alone 70+ variants. Of course those 70 are not the only
ways to construct XSS attacks, either.

XSS is an output encoding problem, like any other command injection
problem. Fundamentally, it's a problem of data being interpreted in a
context in which it takes on functional meaning. In the case of XSS,
data are being interpreted as HTML markup (most often JavaScript, but
that is not the only useful vector).

The solution to the problem is to take away the functional meaning of
data before using it in the Web context. That means: a) don't use
document.write and b) don't put data in the response buffer unless it
has been encoded appropriately first.

-j

On 9/20/07, Sergii Khomenko <sergey.khomenko@xxxxxxxxx> wrote:
>
>
>
>
> To reduce the risk and to prevent such an attack on your website, all form
> information that is entered, should be checked for html code like this
> <script>script code goes here</script>. Basically, your website should not
> accept any script code from anyone on the web and especially storing the
> code in the db and then outputting it to somebody else.
>
>
>
> When you add validation for your input fields, you can run free web
> vulnarability scanners like www.acunetix.com to see if you still have the
> vulns.
>
>
>
> Hope this helps.
>
>
>
> Sergii Khomenko
>
>
>
>
>  ________________________________
>
>
> From: Mad Unix [mailto:madunix@xxxxxxxxx]
>  Sent: Thursday, September 20, 2007 10:53 AM
>  To: websecurity@xxxxxxxxxxxxx
>  Subject: [WEB SECURITY] Cross Site Scripting
>
>
>
>
>
> Our security consulting compay he discoverd on our web server the following
> risk:
>
>
>
>
>
> Cross Site Scripting
>  Risk: High
>
> Description of Vulnerability
>
> The Cross-Site Scripting attack is a privacy violation that allows an
> attacker to acquire a legitimate user's
>  credentials and to impersonate that user when interacting with a specific
> website.
>  The attack hinges on the fact that the web site contains a script that
> returns a user's input
>  (usually a parameter value) in an HTML page, without first sanitizing the
> input.
>  This allows an input consisting of JavaScript code to be executed by the
> browser when the script returns this input
>  in the response page. As a result, it is possible to form links to the site
> where one of the parameters consists of malicious
>   JavaScript code. This code will be executed (by a user's browser) in the
> site context, granting
>  it access to cookies that the user has for the site, and other windows in
> the site through the user's browser.
>
>
>
>
>
>
>
>
> --------------
>
>
> Can any one tell me more about this effect and how to observe and resolve
> this issue, since is be given as high risk.
>
>
> Thanks
>
>
>
>
>  --
>  madunix
>
>
> madunix@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]