Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Anatomy of Cross Site Scripting

Posted by CmdrTaco on from the vulnerabilities-are-lurking-everywhere dept.

LogError writes "Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities."

5 of 208 comments (clear)

  1. XSS Protection by mnmlst · · Score: 4, Informative

    Cross Site Scripting attack protection is a standard feature of many network security products these days. Check Point NG with Application Intelligence (Feature Pack 4 in other words) includes XSS protection as part of its' so-called SmartDefense. I am curious if anyone has run into situations where SmartDefense is screwing up legitimate traffic, especially traffic that resembles an XSS attack.

    BTW, does anybody have some good recommendations for cheaper alternatives with pretty comparable protection to Check Point? I would like something that is as defensive, but not as configurable or extensible.

    --
    In principio erat Verbum.
  2. Re:Can someone explain? by nestler · · Score: 4, Informative
    X is a cross if you look at it.

    The main reason Cross Site Scripting is abbreviated XSS (instead of CSS) is to avoid confusing it with Cascading Style Sheets (this confusion is likely to happen since both of these things are related to web pages).

  3. This is news? by unfortunateson · · Score: 4, Informative

    I'm surprised this merited a news item.
    Webmonkey had a similar article three and a half years ago, that provide some more solid examples of what happens.

    I designed an e-commerce site over the last six years, and evaluated where there might be XSS vulnerabilities. Not having a bulletin board or guestbook removes many areas for exploitation.

    So if someone types contaminated data into their address field when checking out, you'd think all it hoses is their own purchase, right?

    Well, with PHP or Perl CGI, it's possible that the inputted variables could exploit server knowledge: if you know the variable names used in the PHP code for, say, the MySQL password, then embedding this in the input to be evaluated on output can open an avenue for hacking. The variable has to be evaluated in most cases, although code which generates new PHP pages could result in similar problems.

    HTML encode EVERYTHING the user sends to you.

    --
    Design for Use, not Construction!
  4. Free Article on Cross-Site Attacks by shiflett · · Score: 4, Informative

    Although it is PHP-specific, this free article explains XSS and CSRF in quite a bit of detail and might be useful for Web developers using any language:

    http://www.phparch.com/sample.php?mid=16

    Enjoy

  5. Its news to you by samjam · · Score: 4, Informative
    HTML encode EVERYTHING the user sends to you


    *cough*

    Its this kind of lack of understanding that makes the problem so prevelant.

    First it doesn't make sense to htmlencode everything just as id doesn't make sense to addslashes everything (now turned off by default in all good php configurations).

    Here's why: Not everything that comes in is to be displayed as html, just as not everything that comes in is destined for the database.

    Unless you understand the risks, you can't guard against them though it appears some people are still able to be certain they have guarded against them.

    If you do this,

    sqlquery("select * from user where username='$user'") then you need to think what the problem is, its a well defined problem, it is that $user may contain a final ' mark and then some; maybe:
    $user="jimjoe' or 1'"

    so your preferences page now shows the first user in the db, or depending on your web page, all of them.

    In php, htmlentities doesn't encode the '

    If you are invoking system commands (and yes I one had to do a LOT of this from php) then be careful about shell meta characters like ` ' " and $ in certain cases.

    The principle is that you need to make sure the system you are passing data on to interprets it in the literal sense that you require and you cannot do this unless you understand completely how each of the systems you will pass the data on to really does interpret data.

    So if your user data is destined for the database, then escape it, something like:

    sqlquery(sprintf("select * from user where username='%s'",addslashes($user)));
    (yes there are other better was of doing it)

    If you want to display on the web page inline:
    echo htmlentities($user);
    on the other hand if you want to display in an text area I think there is other encoding to use. If it is for a url you need to urlencode and htmlentities but I forget the order.

    Understand the system you are communicating with.

    Sam
    --
    blog.sam.liddicott.com