Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

OT: Cross-site Scripting - Articles and Tools

by grep (Monsignor)
on May 13, 2002 at 01:07 UTC ( #166063=perlmeditation: print w/ replies, xml ) Need Help??

Last week's (May, 6th 2002) Security Adviser article in InfoWorld was near and (not so) dear to my heart and hopefully yours.

Mandy Andress goes over many of the points we have discussed here at the Monastary, and some new points, but also brings it home with some very public examples (eg. eBay, Cybercash, VeriSign).

She also directly mention sites like here (sites for coders) where preventing CSS attacks, becomes a game of balance between your user's freedom and thier security. Hat's off to the developers here for working on that balance.

There are some other interesting links in her article

  • cross_site_scripting.archive.html - This page details sites who are open to CSS attacks *including AOL, and Real.com* this page is run by SkyLined a self professed h4x0r
  • community.whitehatsec.com - Who has just released thier Linux-based WhiteHat Arsenal 1.05 test suite for profiling your site against CSS attacks
  • Hopefully this article shows to all that this problem is not going away. So if you developing a website and take user input to be displayed. You should read this.



    grep
    Unix - where you can throw the manual on the keyboard and get a command

    Comment on OT: Cross-site Scripting - Articles and Tools
    Re: OT: Cross-site Scripting - Articles and Tools
    by cLive ;-) (Parson) on May 13, 2002 at 08:07 UTC
      < s c r i p t   l a n g u a g e = " J a v a s c r i p t " > a l e r t ( " I   s e e   w h a t   y o u   m e a n " ) < / s c r i p t >

      cLive ;-)

      apologies - this is probably the geekiest joke I've ever tried to make...

        tee hee hee...
        foreach( split / /, "< s c r i p t " ."  l a n g u a g e " ."= " J a v a s c r i +" ."p t " > a l e r t " ."( " I   s e e   w h + " ."a t   y o u   m e " ."a n " ) < / s c r i +" ."p t >"){ /(\d+)/; print chr( $1 ); }

        Update: to clarify that this is to interpret Re: OT: Cross-site Scripting - Articles and Tools. The &#...?; stuff is cLive ;-)'s, not mine.

    Re: OT: Cross-site Scripting - Articles and Tools
    by greenFox (Vicar) on May 13, 2002 at 10:48 UTC
    Re: OT: Cross-site Scripting - Articles and Tools
    by cjf (Parson) on May 13, 2002 at 11:20 UTC

      Usually when people talk about cross-site scripting attacks they refer to someone posting malicious code to a website in hopes of exploiting the browser vulnerabilities of other visitors.

      What's often overlooked is using the visitor to submit bad information to a vulnerable script on (or off) the site. This is easily done through adding a link with some extras attached to the query string, or adding a form with a few extra parameters. Maybe those buttons you click on people's homenodes could be sending less than nice stuff to certain scripts?

      Of course, if everyone was adequately paranoid and Didn't trust user input, this wouldn't be as big of a problem as it is.

    Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Node Status?
    node history
    Node Type: perlmeditation [id://166063]
    Approved by rob_au
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others about the Monastery: (6)
    As of 2014-07-10 23:28 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      When choosing user names for websites, I prefer to use:








      Results (217 votes), past polls