WebApp Sec mailing list archives
RE: Fixing XSS Vulns
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Mon, 15 Aug 2005 09:42:40 +0200
wilsonc wrote:
I'm not a security expert, but I did some googling and found that the standard procedure is basically to "encode" the string before displaying it to the user
There is one issue I'd like to add to the already advanced discussion: Other than widely assumed, the most critical XSS vulnerabilities are *NOT* in HTML text that is readable to the user. Make sure that you also secure all dynamic echo of non-visible elements. This is where most Web developers forget to implement security mechanisms. I'm talking about - dynamic URLs/HREFs that include any kind of externally modifieable input (e.g. index numbers, keys, string elements) - hidden fields that contain any kind of externally modifieable input (e.g. last search term, basket index, etc.) - any kind of externally modifieable input that shows up ANYWHERE in javascript - and there's a lot more... ;-) Please make sure that you do not only take visible HTML echoes into account but all possible HTML source echoes. An attacker analyzes all HTML source output for possible echoes, not just what he sees. And there are by far more out there than of the visible ones. Best regards Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
Current thread:
- Fixing XSS Vulns wilsonc (Aug 12)
- Re: Fixing XSS Vulns Petko Petkov (Aug 12)
- Re: Fixing XSS Vulns RSnake (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 12)
- Re: Fixing XSS Vulns Stephen de Vries (Aug 12)
- RE: Fixing XSS Vulns yeesan wong (Aug 14)
- <Possible follow-ups>
- RE: Fixing XSS Vulns Smith, Johnathon (KEYPEOPLE RESOURCES INC) (Aug 12)
- Re: Fixing XSS Vulns Steven M. Christey (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 13)
- RE: Fixing XSS Vulns Jeff Robertson (Aug 12)
- RE: Fixing XSS Vulns Cyrill Osterwalder (Aug 15)