Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Tue Mar 25, 2008 3:39 pm Reply with quote

Here are some highlights from a most excellent paper on cross-site scripting a.k.a. XSS. Be sure to read the full paper at TechRepublic: What is cross-site scripting

What Is Cross-Site Scripting

Chad Perrin - March 18th, 2008 wrote:
Cross-site scripting, also known as “XSS,” is a class of security exploit that has gotten a fair bit of attention in the last few years. Many users, and even Web developers, aren’t entirely clear on what the term means, however. I’ll explain cross-site scripting for you, so you will know where the dangers lie.


Types of cross-site scripting

Chad Perrin - March 18th, 2008 wrote:
There are currently three major categories of cross-site scripting. Others may be discovered in the future, however, so don’t think this sort of misuse of Web page vulnerability is necessarily limited to these three types: Reflected, Stored, and Local.


Protection Against Cross-Site Scripting

Chad Perrin - March 18th, 2008 wrote:
The most comprehensive way to protect your Web design from being exploited by cross-site scripting is to translate any and all special characters in user-provided input — even in URLs — into display entities, such as HTML entities. This applies not only to server-side code like PHP, Perl, and ASP.NET code, but also JavaScript that works with any user-provided input as well. This may interfere with the operation of Websites where users expect to be able to use HTML and XHTML in their input, such as for Website design helper applications — in which case more complex code may be needed to protect against malicious code. Such fine-grained filtering is just one side of an arms race against malicious security crackers, however, and cannot reasonably be 100% effective.


Protection Against Cross-Site Scripting

Chad Perrin - March 18th, 2008 wrote:
The single most effective means of avoiding cross-site scripting in Web development, however, is to design your website so that it does not require client-side code at all. That way, if your users want to turn off the JavaScript interpreters in their browsers, they can do so without losing the ability to make use of your Website. This does not protect against all forms of potential malicious input to your server, of course, and it does not actually limit the vulnerability of your website all by itself — but it does give visitors to your website the option of protecting themselves.
 
View user's profile Send private message
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6432

PostPosted: Wed Mar 26, 2008 6:13 am Reply with quote

Very interesting - thanks!

_________________
I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Wed Mar 26, 2008 7:29 pm Reply with quote

Of course, like probably many of you, I have about 4 - 5 different books in various stages of "read"... lol... One of the 4 that I currently have cracked open is "Cross Site Scripting Attacks: XSS Exploits and Defense" by Grossman, Hansen, Petkov, Rager and Fogie...

Excellent read if you get a chance.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©