Security Basics mailing list archives
RE: XSS vulnerability
From: "Anthony Cicalla" <Anthony.Cicalla () hackersafe com>
Date: Fri, 14 Dec 2007 11:44:52 -0500
I would start with www.owasp.org which is open web application security project. Download Webgoat and get started. Also look at ha.ckers.org they have an xss cheat sheet. XSS or cross site scripting has to deal with inserting some scripting language into a parameter that has not been passed through proper input validation before the data is used. There are two ways that I presently know how to deal with this. Fix your code if you don't validate input from the client or get an application level firewall to prevent the attacks. Anthony -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Heng Kuo Kuang Kelvin NCS Sent: Thursday, December 13, 2007 6:55 PM To: security-basics () securityfocus com Subject: XSS vulnerability Hi, I tried to google for XSS vulnerability, how to hack, how to prevent, etc. However, I have no any meaningful information for me to work with. Actually, I am supposed to address some XSS vulnerability on some of the in-house application developed by 3rd party vendor. My web server is already patched to its latest version, however the coding in the application is subjected to XSS vulnerability, I would like to do something about it rather than waiting for the application developer to rewrite the application. Can anyone of you help me by giving me some guidance? 1) What kind of pattern will I be able to pick up from my web server logs to show that there is XSS attacks against my web server? 2) How can I prevent XSS from attacking my web servers [Apache, Sun One, IIS 5 & 6] without having to change the application coding? 3) How can I test for XSS vulnerability on my web servers? Any information will be greatly appreciated. Thanks in advance Regards, Kelvin Heng
Current thread:
- XSS vulnerability Heng Kuo Kuang Kelvin NCS (Dec 14)
- RE: XSS vulnerability Anthony Cicalla (Dec 14)
- Re: XSS vulnerability Ankur Jindal (Dec 14)
- Re: XSS vulnerability Albert R. Campa (Dec 14)
- RE: XSS vulnerability Marco M. Morana (Dec 17)