Bugtraq mailing list archives
Re: 'cross site scripting' defenses
From: flynngn () JMU EDU (flynngn () JMU EDU)
Date: Sun, 6 Feb 2000 18:32:15 -0500
I was thinking of ways that the vulnerabilities could be taken advantage of to use as examples. It seems that by following a few minor design rules and one minor usage rule, a lot of the problem can be contained until the core deficiencies in code can be fixed. At least in sites which require a login. I base these rules on the assumption that script can only be injected into the first page of a web application and that there is only a single entry point (i.e. web page) into the application. I also assume that a user isn't tricked into performing an entire web application transaction on a hostile site. Those rules are: 1) Don't include anything on the login screen except fields for username and password. Doing this would seem to help insure that if script is injected, the login will fail. 2) Don't return any user supplied data to the browser on a failed login. This is so if some script code is injected into the username and password fields, it won't be returned to the browser when the corrupted authentication information causes the login to fail. 3) Encourage users to "logout" of a web application before browsing elsewhere. Am I thinking right? Gary Flynn Security Engineer James Madison University
Current thread:
- Re: recent 'cross site scripting' CERT advisory, (continued)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)
- Re: Bypass Virus Checking Nick FitzGerald (Feb 03)