At 09:29 PM 9/8/2002 -0700, you wrote:
>If you are not familiar with what I mean by cross site scripting (XSS), here
>are two links with information about it:
>
> http://www.cgisecurity.com/articles/xss-faq.shtml
>
> http://www.cert.org/advisories/CA-2000-02.html
>
>According to the first FAQ above, some of the things that should be done to
>protect your web application are:
>
> "Never trust user input and always filter metacharacters. This will
>eliminate the majority of XSS attacks. Converting < and > to < and >
>is also suggested when it comes to script output. Remember XSS holes can be
>damaging and costly to your business if abused. Often attackers will
>disclose these holes to the public, which can erode customer and public
>confidence in the security and privacy of your organization's site.
>Filtering < and > alone will not solve all cross site scripting attacks and
>it is suggested you also attempt to filter out ( and ) by translating them
>to ( and ), and also # and & by translating them to # (#) and
>& (&)."
Mike,
I've studied this a bit when I made a XSS filter for Expresso, and came
across the following situations.
-I could never get browsers to properly render: #, (, ), and ' so I ended
up having to bail on having them replaced with the appropriate character
entity. If somebody has a way of getting it to work, I'd really appreciate
hearing what they said. I DID get double quotes properly filtered.
-You don't ALWAYS want to filter the input parameters. If for example, the
company name in a registration app was Mike & Ike, Inc. You'd want to
write to the underlying database "Mike & Ike, Inc.", NOT "Mike & Ike,
Inc." The reason is simple, if you read the database with a non-web
browser application, then the data may be messed up.
-However You DO want to filter the data you are sending to the browser. In
this case, you DO want the company name to be rendered "Mike & Ike, Inc."
in most cases.
So in this case, Struts does a reasonable job of transforming the
output. I made the mistake in my own design of filtering all data read
from a data source... which worked nice and transparently to the user, but
may cause problems if you want to read and send the data through, for
example, a web service instead of a jsp page.
Hope this clarifies the issue. Granted there has been very little
attention to XSS, which causes many people to write vulnerable
applications. I appreciate you piping up asking questions about it.
-Mike
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
