tags:

views:

365

answers:

3
+3  Q: 

Measures to prevent XSS vulnerability (like Twitter's one a few days before)

Even famous sites like Twitter are suffering from XSS vulnerability, what should we do to prevent this kind of attack?

A: 

I don't what you write your code with, but if your use asp.net, you are partly covered. asp.net has what they call request validation that when enabled, it prevent malicious script to be introduced via user input.

But sometimes, you'll have to allow some kind of text editor like the one you typed in this question. In this case, you'll have to partly disable request validation to allow some "rich text" html to be input by the end user. In this case you will have to build some kind of white list filtering mechanism.

FYI, I don't know about others but Microsft has library called Anti-Xss.

Vanof  2009-05-03 03:53:15
Chad Grant  2009-05-03 04:22:21
+3  A: 

The #1 Thing you can do is set your cookies to HTTP Only ... which at least protects against session cookie hijacking. Like someone stealing your cookie when you are likely admin of your own site.

The rest comes down to validating all user input.

  • RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
  • RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
  • RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  • RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
  • RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
  • RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes

Very lengthy subject discussed in detail here:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

http://www.owasp.org/index.php/Cross_site_scripting

XSS is only one of many exploits and every web dev should learn the top 10 OWASP by heart imho

http://www.owasp.org/index.php/Top_10_2007

Chad Grant  2009-05-03 04:13:59
A: 

Just like you can make SQL injection a non-issue by using prepared statements, you can make XSS non-issue by using templating engine (DOM serializer) that does similar thing.

Design your application so that all output goes via templating engine. Make that templating engine HTML-escapes all data by default. This way you'll have system that's secure by default and does not rely on humans (and rest of the large system) being diligent in escaping of HTML.

porneL  2009-05-25 20:32:31

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests