[WEB SECURITY] The future of XSS attacks

MustLive mustlive at websecurity.com.ua
Wed Jan 27 16:55:18 EST 2010


Hello Chris!

Thanks for pointing about ESAPI4JS.

I'm not fan of any framework and I'm not using any framework not for web
developing, nor for security of web applications and web sites, but I wish
you good luck with your project.

Regarding your example of mitigation DOM Based XSS attacks with using of
ESAPI4JS then I'll note, that it looks too complex and time consuming. For
this reason it's not very effective solution for this particular case - in
comparison with self-made solutions (for fixing as XSS hole in example page,
as any other XSS holes). E.g. I see two methods of fixing the hole in
example page without using of ESAPI4JS (which will be less complex and less
time consuming). I just like to use own solutions, not some frameworks :-).

P.S.

I mentioned in comments to my article The future of XSS attacks
(http://websecurity.com.ua/3878/) about CSP, which was mentioned by MaXe as
solution for XSS. Taking into account, that XSS known already from 1998
(persistent XSS was found in 1998 and term Cross-Site Scripting was
introduced in 2000, when reflected XSS was found). And for now, in 2010,
after 12 years we have such situation, that 80-90% of web sites in Internet
have XSS holes. Than it's quite possible that nothing will greatly change in
next 10 years (CSP will need to pass a long way before it'll spread enough).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: Schmidt, Chris
To: MaXe ; MustLive
Cc: websecurity at webappsec.org
Sent: Monday, January 25, 2010 8:22 AM
Subject: RE: [WEB SECURITY] The future of XSS attacks


I would like to take this opportunity to point everyone at the latest
installment of ESAPI4JS along with some reference material on using it,
specifically using it to mitigate DOM Based XSS attacks (without relying on
browser plugins)

http://yet-another-dev.blogspot.com/2010/01/esapi4js-v013-now-available.html

The changelog for 0.1.3 follows:

version 0.1.3 (01/23/2010)

General
More updates to distribution
Cleaned up subversion repository
Updated subversion to allow online testing

Validation
Implemented i18n support for error messaging

Logging
Fixed overwrite bug in Logging configuration

Internationalization
Created ObjectResourceBundle?
Moved messaging to a external resource file
Add configuration options to ESAPI Config

HTTPUtils
Implemented Cookie-Jar Management
Implemented function to get parameters from a GET request

~ beef



-----Original Message-----
From: MaXe [mailto:owasp at intern0t.net]
Sent: Sat 1/23/2010 6:19 AM
To: MustLive
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] The future of XSS attacks

MustLive wrote:
> Hello participants of Mailing List.
>
> Yesterday I wrote English version of my article The future of XSS attacks
> (http://websecurity.com.ua/3878/), which you can read if you
> interested in
> this topic.
>
> In the article I talked about Cross-Site Scripting attacks where it's
> not possible to use any tags and angle brackets. I listed attack
> vectors which can be used in this case (automated and non-automated).
> And wrote about current situation with modern browsers: in 2008 in
> Firefox 3 possibility of attack via -moz-binding was removed (partly)
> and in IE 8, which released at beginning of 2009, support of
> expression() was removed.
>
> So I proposed my cross-browser solution for conducting of automated XSS
> attacks in such conditions (when it's not possible to use any tags and
> angle
> brackets) - with using of MouseOverJacking technique, which I already
> wrote
> about (http://websecurity.com.ua/3814/).
>
> You can read the article The future of XSS attacks at my site:
> http://websecurity.com.ua/3878/
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list