Cross Site Scripting

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Shabam
    #1

    Cross Site Scripting

    I have an application that allows users to input certain html tags via a
    markup code (like ""). The
    application then translates that into real html for output. I've also had
    the application translate "<" to "&lt;" and ">" to "&gt;" to prevent direct
    html input by the user.

    By doing this I basically allow users to input certain html tags, while not
    giving them full permission to mess with the site.

    However, I was made aware of cross-site scripting flaws which allow a user
    to input something like "[img]javascript:aler t(document.cook ie)[/img]".
    This would be translated into "<img
    src="javascript :alert(document .cookie)">", which obviously is not good.

    My question is, besides this javascript string, what others are there to
    filter for, to prevent this type of attack?


    Tags: None
    • Andrew Thompson
      #2
      Re: Cross Site Scripting

      On Wed, 29 Sep 2004 04:59:52 -0700, Shabam wrote:
      [color=blue]
      > I have an application that allows users to input certain html tags via a
      > markup code (like ""). ...[/color]

      Try..
      (like "")
      [color=blue]
      > My question is, besides this javascript string, what others are there to
      > filter for, to prevent this type of attack?[/color]

      The possiblities for abuse of such a system (from any
      number of script or non-script sources) is extraordinary.

      Beyond an attentive moderator or pre-screening content, I
      can really see no way to 'seal all the security holes',
      ...beyond removing the site from the internet.

      I will be interested to see what other people might suggest though.

      --
      Andrew Thompson
      http://www.PhySci.org/codes/ Web & IT Help
      http://www.PhySci.org/ Open-source software suite
      http://www.1point1C.org/ Science & Technology
      http://www.lensescapes.com/ Images that escape the mundane

        Comment

        • Shabam
          #3
          Re: Cross Site Scripting

          > Try..[color=blue]
          > (like "")[/color]

          What's this got to do with my question? Mine is one of technical filtering,
          not content filtering.
          [color=blue]
          > The possiblities for abuse of such a system (from any
          > number of script or non-script sources) is extraordinary.
          >
          > Beyond an attentive moderator or pre-screening content, I
          > can really see no way to 'seal all the security holes',
          > ..beyond removing the site from the internet.[/color]

          So all of the web forums out there employing vBulletin, UBB, etc. They're
          all prone to such attacks right? If that's the case they'd all be out of
          business by now.

          It would be nice if you could show some code exploits to illustrate your
          point.


            Comment

            • Jim Ley
              #4
              Re: Cross Site Scripting

              On Wed, 29 Sep 2004 06:35:30 -0700, "Shabam" <blislecp@hotma il.com>
              wrote:[color=blue]
              >So all of the web forums out there employing vBulletin, UBB, etc. They're
              >all prone to such attacks right? If that's the case they'd all be out of
              >business by now.[/color]

              No they have lots of heuristics - making sure it starts http:// making
              sure script isn't allowed, making sure everything's encoded - they're
              not perfect, and there's always moderators eventually - people
              generally aren't as bad as you think...

              Jim.

                Comment

                Previous template Next
                Working...