Tuesday, March 2, 2010

Cross site scripting and ways to code against it

Cross site scripting is a vulnerability that exists when the software does not sufficiently validate, filter, escape, and encode user-controllable input before it is placed in output that is used as a web page that is served to other users.
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It's pretty much inevitable when you combine the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you (because, after all, it *did* come from you). Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man in a technical version of the "why do you keep hitting yourself?" game. http://cwe.mitre.org/top25/#CWE-79

Some references to help protect against XSS vulnerability
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 
http://msdn.microsoft.com/en-us/library/aa973813.aspx

In short- Validate your input and encode your output.

No comments:

Post a Comment