Radiant Core: CrossSiteScripting tag http://www.radiantcore.com/ All of the Radiant Core posts tagged with CrossSiteScripting. en-ca Copyright 2006, Radiant Core Inc. All rights reserved. webmaster@radiantcore.com webmaster@radiantcore.com <![CDATA[5 Tips for protecting your site against XSS]]> Michael Bodalski <info@radiantcore.com> http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips#comments While some still debate the risks associated with cross-site scripting (XSS) attacks, after the high exposure attacks against MySpace and Hotmail the pendulum has definitly swung in the direction of treating XSS as seriously as other more common injection type attacks. Either way, as with most things involving security on the web, it never hurts to err on the side of caution. The trick with XSS is that since the problem isn't specific to a particular technology, it can be tricky to know if you are vulnerable. Here are five common XSS injection techniques to check for any time you accept user input on your site.

  1. Your forms accept unnecessary HTML tags: This one should be obvious, but if a form on your site lets a user insert a tag in a comments form, you've got a potential problem. Unless there is a very good reason for it, it's usually not advisable to let users send HTML entities through a form.
  2. Failing to validate properties in anchor tags: It's often convenient or necessary to allow users to insert HTML in their input. If your site allows this, it is highly advisable to validate the properties passed along with the HTML. A common exploit is to hide script source inside of URLs. Depending on the user's browser, <a href="http://domain.com/page.asp?value=<script>code</script> will escape the URL and execute the value contained within the script tags.
  3. Not checking for correct data types: As with anchor tags, it's possible for a user to insert code disguised within an img tag. Since it's possible to have a server side script generate an image dynamically, most browsers will accept <img src="http://domain.com/script.php"> as a valid image resource. However accepting such input without verifying what value is being returned exposes your site to possible risks.
  4. Not cleaning user added CSS: As Niklas Bivald points out in his A List Apart article "Community Creators, Secure Your Code!", in-line CSS styling provides another opportunity. Niklas spends far more time on the subject than I can here including suggestions for cleaning input.
  5. Ignoring <embed> and <object> tags: While Javascript is the most common tool for implementing an XSS attack, you should also be careful that users can't link to external objects that have their own scripting languages. For example, Flash could be used to display an element on a page, or even open new browser windows. Since <embed> ad <object> tags are not directly dangerous, many developers overlook them when filtering user input.

For more information on XSS vulnerabilities, I highly recommend reading HTML Code Injection and Cross-site scripting which provides detailed information on detecting and filtering user input to protect your site from attack.

]]> HTML/CSS Tue, 18 Jul 2006 11:00:00 GMT