Thanks Michael - that helps clear things up for me.
B
On Feb 8, 2008, at 8:40 AM, Michael Peters wrote:
Barry Moore wrote:
Basically one version of an XSS attack would be for me to enter
javascript code into a form on your web page. Then if you include my
form submission in other web pages then my javascript could
execute on
any other users machine that subsequently loaded those tainted pages.
My JS code could do anything that they could do including contact
your
server on behalf of them and send data back to my server. Is this
correct?
Yes. This is what XSS means. There are variations on this, but it's
bascially
the same thing.
Then the rational for you to html escape any input that comes from me
and any other user is because that escaping would render the JS code
in-operable. Is that correct?
Yes. Imagine you have a form that asks me a survey question and I
enter my name as:
Michael <script>alert("p0wnd!")</script> Peters.
Then you log into the admin side of you application and see my
survey result.
You will get p0wnd. Now imagine that I instead of doing a simple
alert() I
inserted a <script> tag that pulls in some JS from my own server
which adds some
helpful (to me, not you) methods into your page that makes it
really easy for me
to get your cookie information and then sends it back to my server.
Now I can
log in to your admin side and do whatever I want.
So then is is safe to assume that if the data from your form never
gets
sent back to other users (i.e. it only gets analyzed by your server -
such as a search form) or if you check for JS code in some other way,
then that would also prevent this form of XSS?
No. Imagine this scenario: I use your search form and input some
malicious
Javascript. Now I can steal my own information. Not really
useful... yet. I
create a URL that will take me to that results page. Something like
http://coolsite.com/search?term=%3Cscript%3Ealert(%22p0wnd!%22)%3C%
2Fscript%3E
and I post it in some forum or email group (like this one) and
people click on
it. Now I have their information.
--
Michael Peters
Developer
Plus Three, LP
##### CGI::Application community mailing list ################
## ##
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ##
## ##
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
## ##
################################################################
##### CGI::Application community mailing list ################
## ##
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ##
## ##
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
## ##
################################################################
