Dependent Origination

XSS and fixes

Posted on: June 21, 2011

We got a report from a guy who lives in Tokyo on a page of ours that is vulnerable to XSS attacks. Seems he sent multiple emails to different companies on the topic. It is a sure way of securing interviews. I hope he run a program to find the holes, instead of finding them by hand 🙂

Anyway, despite my two years in a security infrastructure team, I actually got more education on XSS this time — it is a very common security flaw and was taken advantaged of fairly early in the history of my ex-employer. So the issue was fixed well ahead of my time and I never really paid any attention to how they solved it.

Now I got the chance to read about it and figure out the best way to make sure it never happens. Turns out it is very hard to systematically get rid of it, barring a full fledged parser of the code base. The root problem is never display anything the user types in. In the same line of thought you cannot display anything directly from the database too. So it is a problem of proper escaping. Since display happens in different contexts, such as html and javascript being the most likely contexts, you cannot pre-escape the user inputs. The guard has to be at the display time. This can be helped by a naming convention — add raw or escaped to the end of your variable names so you can catch them on a glimpse in a display context. Another help is to make sure the default is safe — just html-escape everything from the apache server — this way in the worst case we display a bunch of wrong characters but never closed/opened contexts unintentionally.

this is the wiki article on cross-site scripting. here is a page that describes the common guards of dealing with it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

June 2011
« May   Jul »


Flickr Photos

%d bloggers like this: