Re: XSS And Headers...

["Roland Postle" <mail () blazde co uk>]

> There used to be alot of discussion about XSS, cross-site scripting where
> you can insert html into pages that are viewed by many ppl and steal
info...
> most of these sites (e.g. a bulletin board) have been updated to protect
> this behaviour...
>
> however, i've noticed that many do not cover headers..


What your talking about seems pretty similar to the "Sonicwall SOHO Content
Blocking Script Injection, LogFile Denial of Service"
(http://online.securityfocus.com/archive/82/272965).

Given that ...
a) It's only a problem where the admin views logs in html.
b) Generally script injection can come from any number of sources, html
forms, the http request, the request header, an email, a newsgroup post, an
identd response/request, infact anywhere you don't trust and most places you
do trust.
.. then, imo, it's much better to worry about XSS when you're writing the
dynamic page that it might appear in, not when receiving the potentially
malicous input. There's no harm storing some javascript in a database or
whatever, just so long as you filter it before it appears in anyone's
browser.

Ofc, that doesn't mean that's how people have been sureing up their dynamic
sites so, yes,  there's undoubtably more vulnerable admin logs out there.

- Blazde