[WEB SECURITY] Cross Site Scripting
Martin O'Neal
martin.oneal at corsaire.com
Fri Sep 21 11:22:15 EDT 2007
> Ultimately, the answer is probably some combination of
> blacklisting, whitelisting, and output encoding, with a
> heavy emphasis on whitelisting.
This is (in most situations) the only comprehensive solution to the
problem. Whilst there are many occasions where an input value will be a
selection from a pre-ordained list box (so you can be 100% definitive
about your whitelisting) there are just as many occasions where an input
value will be a notefield, where whitelisting the input validation is
almost no use at all (because any character combination is acceptable,
including [for some applications] examples of working HTML/script etc.).
Ignoring the implicit non-validation issues:
- Whitelist what you can.
- Fish out deliberate attacks with a blacklist (generate an audit
message & revoke the session).
- Always encode output for the target vector.
- Nuke the site from orbit. It's the only way to be sure.
Martin...
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list