[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Cross Site Scripting

From: Francois Larouche <francois.larouche-ml@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 12:35:29 -0700

I don't entirely agree with you

Always encode output in case that input validation failed OR the data comes from another source that you have no control (sharing a DB for instance).

Besides as many mentioned black list is a limited system. To add to this, nowadays it's trivial with a human launching and monitoring a set of signatures against a parameter to find the loop hole in the black list. I'm sure that many out there has already written such a script or tool. If in other hand someone is trying by hand all the signatures it will then entirely depend on its expertise and patience.

I do believe that black lists are just raising the bar... Nothing else nothing more. First step to a safer world I guess.

As for being alerted that you are under attacks under a few days... If you use black list it doesn't mean you have a IDS or whatever system that detects attack, or even that someone will monitor it 24/7 or that once he sees that something is going on it's not already too late. I wouldn't bet my business on that, would you?

As a final note, I entirely agree that the white listing is one of the best solution _when_ you can apply it on simple data that always follows the same pattern. (ZIP code, Integer, tel number, postal code, and so on) But it can be a nightmare for the developers to keep that white list valid when it comes to more complex inputs. The worst problem might occur when the white list is now blocking valid data. For example, a white list refuse to accept purchases of more than 9999$ (4 digits) but your business has grown and now you have purchases ranging over this. I don't think the CEO will be happy to learn that the company has lost those sells just because of a over zealous developer... But I guess you can imagine the problem.

My two cents...

Francois

Agree... 1. input validation 2. Output encoding if we have to accept malicious characters (that's a real problem of web site social network - too large acceptable range of characters) 3. Blacklist...

By experience, the advantage of blacklist is not protection against XSS (we can bypass this kind of filter easily) BUT don't minimise the advantage of blacklisting... Blacklisting is a very powerfull detection system... Often hackers try patterns before finding an issue... We can expect that the blacklist can detect some issue. You will be alerted that you will be under attacks under a few days...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Sergii Khomenko
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Hoffman, Billy
- Re: [WEB SECURITY] Cross Site Scripting
  - From: application.secure application.secure

Prev by Date: RE: [WEB SECURITY] Cross Site Scripting
Next by Date: RE: [WEB SECURITY] Cross Site Scripting
Previous by thread: Re: [WEB SECURITY] Cross Site Scripting
Next by thread: RE: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site