I don't think Paul has visited the XSS Cheat Sheet. First of all JavaScript is not the only language that applies to XSS. Secondly, it is a very real attack vector. Especially as Ajax becomes more mainstream, and the filter evasion becomes more diverse, it will be harder and harder for developers to know how to protect themselves. Stripping out angle brackets will protect them against a certain type of XSS, yes. No, it won't protect them from everything. For instance, UTF-7 encoding, or US-ASCII encoding attacks will both walk right around that form of filtering.
Unfortunately people expect developers to understand what to do. "It's HTML, right? You know HTML don't you? Just stop it from happening!" Well, it's just not that easy. There are two faults.
One, there are no canned libraries out there that are 100% successful at stoping XSS (you read that right, not one). There are some that when coupled with the correct encoding can stop 100%, but not alone. That's a fact, argue it if you like.
Second, the browser companies allow XSS (and consumers expect it). It's how Ajax works, and it's how you can embed Flash on a webpage. It's just the way people want to do business online today. There's no going back, so the browser companies need to help come up with creative ways to solve the issue. I spoke with Firefox a while about one possibility of using content restrictions, so that webmasters could tell the browser to highten their security settings on pages they felt were unsafe. There's probably a hundred other ways to do it, but so far nothing has been done.
Thus the vectors continue. And it's not limited to the attacks you have seen thus far. Jeremiah Grossman and I have come up with a whole new set of attacks based on XSS (he'll be presenting it thus summer at Blackhat if you happen to be near Las Vegas in August). The point being this guy really mis-understands the attack and doesn't get the big picture - which is that the more people tunnel applications over port 80 and the more people want to have a rich dynamic experience on the web, the bigger a problem this will become. Like it or not.
Slashdot Mirror
I don't think Paul has visited the XSS Cheat Sheet. First of all JavaScript is not the only language that applies to XSS. Secondly, it is a very real attack vector. Especially as Ajax becomes more mainstream, and the filter evasion becomes more diverse, it will be harder and harder for developers to know how to protect themselves. Stripping out angle brackets will protect them against a certain type of XSS, yes. No, it won't protect them from everything. For instance, UTF-7 encoding, or US-ASCII encoding attacks will both walk right around that form of filtering.
Unfortunately people expect developers to understand what to do. "It's HTML, right? You know HTML don't you? Just stop it from happening!" Well, it's just not that easy. There are two faults.
One, there are no canned libraries out there that are 100% successful at stoping XSS (you read that right, not one). There are some that when coupled with the correct encoding can stop 100%, but not alone. That's a fact, argue it if you like.
Second, the browser companies allow XSS (and consumers expect it). It's how Ajax works, and it's how you can embed Flash on a webpage. It's just the way people want to do business online today. There's no going back, so the browser companies need to help come up with creative ways to solve the issue. I spoke with Firefox a while about one possibility of using content restrictions, so that webmasters could tell the browser to highten their security settings on pages they felt were unsafe. There's probably a hundred other ways to do it, but so far nothing has been done.
Thus the vectors continue. And it's not limited to the attacks you have seen thus far. Jeremiah Grossman and I have come up with a whole new set of attacks based on XSS (he'll be presenting it thus summer at Blackhat if you happen to be near Las Vegas in August). The point being this guy really mis-understands the attack and doesn't get the big picture - which is that the more people tunnel applications over port 80 and the more people want to have a rich dynamic experience on the web, the bigger a problem this will become. Like it or not.