WebApp Sec mailing list archives
Re: Fixing XSS Vulns
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 13 Aug 2005 09:50:46 -0400
To my way of thinking, you ultimately can't get out of taking data at all input borders and immediately decoding to the application's internal representation, then only encoding just before crossing output borders, and *only* doing the appropriate encoding for the needed representation for the output, and then ensuring that each distinct component does this properly. One implication for design might be to keep all "cross-border" transactions as centralized as possible, but I don't know how easy this can be done in practice. Not sure if this paragraph makes sense, so I apologize ahead of time.
I think this is dead on. In the broad sense of preventing all types of injection attacks (whether it be XSS, SQL injection, shell injection, HTTP Response Splitting, mail header injection, etc) this is how you have to think about coding your applications. I firmly believe that this approach to encoding/decoding should come first, and then when you can, validate input from users as much as you can. Why not focus on validation first? Because some data *you just can't validate*. Sometimes special characters just have to be allowed into an application, based on functional requirements. You shouldn't pit your security controls against your functional requirements, because you know security will always lose that battle. Not to say validation isn't bad. You should always validate based on your datatypes, but sometimes those datatypes will be blobs, and all you can do then is quote/encode/escape. tim
Current thread:
- Fixing XSS Vulns wilsonc (Aug 12)
- Re: Fixing XSS Vulns Petko Petkov (Aug 12)
- Re: Fixing XSS Vulns RSnake (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 12)
- Re: Fixing XSS Vulns Stephen de Vries (Aug 12)
- RE: Fixing XSS Vulns yeesan wong (Aug 14)
- <Possible follow-ups>
- RE: Fixing XSS Vulns Smith, Johnathon (KEYPEOPLE RESOURCES INC) (Aug 12)
- Re: Fixing XSS Vulns Steven M. Christey (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 13)
- RE: Fixing XSS Vulns Jeff Robertson (Aug 12)
- RE: Fixing XSS Vulns Cyrill Osterwalder (Aug 15)