Understanding XSS to prevent it

23.06.2006 at 14:41

There was recently a completely stupid XSS story covered on Slashdot whose main argument is quoted below.

XSS vulnerabilities are not a mark of bad or insecure code but rather a nasty but unavoidable risk that's a part of JavaScript - and that even then, XSS 'vulnerable' sites are no less dangerous or vulnerable at heart.

Fortunately this is completely bullshit. We will later discuss what kind of countermeasures can be taken, but first of all make sure you know what XSS is for that purpose i would suggest reading the XSS FAQ.

Countermeasures

Now that you know what your reading about, we can dive further into the technical details of preventing XSS vulnerabilities. A often heard but false advise is to simply replace all <> with their named counterpart &lt;&gt;. This however fails to prevent some javascript+css based attacks such as the example below.

background:url(javascript:alert(document.cookie));

As an other advice let me say that you shouldn't rely on blacklist, that is filtering potential dangerous stuff, instead use whitelist and allow only a well defined set of tags + attributes. This is especially important because IE will even interpret javascript with embedded termination chars.

<scrx00ipt>alert("Hello World")</sx00cript>

Hope you realize that you will never catch all the possible cases because there are simply to much hacks and tricks to by pass your filter. Therefore use whitelists. If done right it's even better to use a completely HTML unrelated template language such as bbcode which are often found in forums and wikis.

It's serious

So as you have seen it is entirely possible to prevent Cross Site Scripting. It's even easier because most languages supply such functionality, for example in php there is htmlentities() available. Therefore it basically comes down to the laziness of the programmer.

To see what can happen because of XSS vulnerabilities see for example the myspace worm.

A word about JavaScript

Nowdays I often read things like "JavaScript SUCKS!!!". Again this is simply not true, JavaScript is quite an elegant language once you get used to. At some point you start to appreciate the prototype vs. class based inheritance, the fact that functions are also objects and it's general functionalishm. See for example this Usenet post from Richard Cornford to myself and the many other truly great resources in the comp.lang.javascript FAQ for some advanced JavaScript code. Unfortunately JavaScript is also used and therefore associated with popup adds and other disturbing things.

As i think about it will likely post another blog entry about the beauty of JavaScript sometime in the future.

Marc

Comments (0)

There are currently no comments available