Dependent Origination

XSS and fixes

Posted on: June 21, 2011

We got a report from a guy who lives in Tokyo on a page of ours that is vulnerable to XSS attacks. Seems he sent multiple emails to different companies on the topic. It is a sure way of securing interviews. I hope he run a program to find the holes, instead of finding them by hand🙂

Anyway, despite my two years in a security infrastructure team, I actually got more education on XSS this time — it is a very common security flaw and was taken advantaged of fairly early in the history of my ex-employer. So the issue was fixed well ahead of my time and I never really paid any attention to how they solved it.

Now I got the chance to read about it and figure out the best way to make sure it never happens. Turns out it is very hard to systematically get rid of it, barring a full fledged parser of the code base. The root problem is never display anything the user types in. In the same line of thought you cannot display anything directly from the database too. So it is a problem of proper escaping. Since display happens in different contexts, such as html and javascript being the most likely contexts, you cannot pre-escape the user inputs. The guard has to be at the display time. This can be helped by a naming convention — add raw or escaped to the end of your variable names so you can catch them on a glimpse in a display context. Another help is to make sure the default is safe — just html-escape everything from the apache server — this way in the worst case we display a bunch of wrong characters but never closed/opened contexts unintentionally.

this is the wiki article on cross-site scripting. here is a page that describes the common guards of dealing with it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

June 2011
M T W T F S S
« May   Jul »
 12345
6789101112
13141516171819
20212223242526
27282930  

Twitter

  • is emptying trash and happily discovering the available disk space now ranks at 100G+. 4 days ago
  • is looking at other people's intentions, not their capabilities, and feeling much happier every day :) 11 months ago
  • is planning on how to spend the next two weeks until the new year, at home. 11 months ago
  • is going to have human company for Thanksgiving; a rare event for the past like twenty years. 1 year ago
  • living by myself again; a strange feeling in a bustling city with thirteen million people 1 year ago

Flickr Photos

IMG_3517

IMG_3515

IMG_3505

IMG_3497

IMG_3261

IMG_3260

IMG_3255

IMG_2736

IMG_2733

IMG_2629

More Photos
%d bloggers like this: