Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo! XSS Flaw Endangers its Users

Posted by CowboyNeal on from the ever-vigilant dept.

Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."

2 of 157 comments (clear)

  1. Oh... and NoScript... by Alcoholic+Synonymous · · Score: 5, Informative

    The NoScript addon has Yahoo as one of their exemptions to its anti-XSS protection by default.

  2. Sanitizing user imput is the most important part by Spliffster · · Score: 5, Informative

    If you want to secure your systems, make sure you do not allow userinput with certain tags (assuming this input is displayed later on in a html page).

    Tags like script, iframe, link, style, embed, object _MUST_ be stripped in an untrusted environment. why you may ask: script, iframe, link allow external references (for example injection of code of remote sites which you can not easily check).

    script itself is the most evil tag because it allows an attacker to access any element in a page, modify it and inject further remote scripts not stored on your server.

    ie interprets javascript and vbcode in style tags /me *shudders* (not sure if this is still true in IE7, in quriks-mode however i am pretty sure this still works in ie7 and non standard compliant mode AKA quirks-mode is the default for most IE only or IE targetted sites).

    embed and object tags are used to insert java and activeX code, I guess I do not have to say much about those two techniques, it's again about inserting remote code at runtime.

    iframe is, by nature, a fairly secure tag. it can not harm the users page much but it can be used to trick the user in believing to be on another page/site or trick him in any other way. plus, many IE versions had security holes where scripts could travel up from iframe into its parent document to manipulate data from another domain (crossite ;)

    There might be some potentially evil tags missing in my list, this is just from the top of my head.

    I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

    HTH,
    -Simon