[WEB SECURITY] The future of XSS attacks

Schmidt, Chris cschmidt at servicemagic.com
Wed Jan 27 18:59:10 EST 2010


Thanks for the taking a look and responding. 

I am not sure what looks complex about using ESAPI4JS to mitigate the
attacks that could be solved by some other means in a more simple manner
though. 

[script]
 $ESAPI.encoder().encodeForHTML( valueToEncode );
[/script] 

Are you referring to the dependencies of using ESAPI4JS? 

Really, the only dependencies are the Core js, Config js, Messages js,
and Log4JS js (which will be changing slightly, to only require this if
the logging module is loaded, I am moving logging out of the core js
since logging is not used very much in most client-side code)

Also, the amount of work being done behind the scenes when you make that
call to encodeForHTML or encodeForCSS or encodeForJavascript is
important to realize as well. Most so-called *simple* solutions to XSS
involve a very select bit of filtering without taking things like
multiple encodings, or encoding at all into account, thus rendering the
XSS protection completely useless. 

I don't want you to think that I am attacking your take on the
situation, but I do think that the very *simple* vulnerability in the
example page is an example of *simple* DOM Based XSS and though solving
that exact problem may be easy without the use of something like ESAPI
(assuming you are taking into account encoding attacks as well) more
often than not, the holes are not this visible, and not so easy to get
around. I purposefully chose to exemplify it with a very simple code bug
so that it would be easy to illustrate how to integrate the protection
into an application and quickly get resolution. 

Thanks again for the comments, and thanks for challenging the post! 


-----Original Message-----
From: MustLive [mailto:mustlive at websecurity.com.ua] 
Sent: Wednesday, January 27, 2010 2:55 PM
To: Schmidt, Chris
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] The future of XSS attacks

Hello Chris!

Thanks for pointing about ESAPI4JS.

I'm not fan of any framework and I'm not using any framework not for web
developing, nor for security of web applications and web sites, but I
wish you good luck with your project.

Regarding your example of mitigation DOM Based XSS attacks with using of
ESAPI4JS then I'll note, that it looks too complex and time consuming.
For this reason it's not very effective solution for this particular
case - in comparison with self-made solutions (for fixing as XSS hole in
example page, as any other XSS holes). E.g. I see two methods of fixing
the hole in example page without using of ESAPI4JS (which will be less
complex and less time consuming). I just like to use own solutions, not
some frameworks :-).

P.S.

I mentioned in comments to my article The future of XSS attacks
(http://websecurity.com.ua/3878/) about CSP, which was mentioned by MaXe
as solution for XSS. Taking into account, that XSS known already from
1998 (persistent XSS was found in 1998 and term Cross-Site Scripting was
introduced in 2000, when reflected XSS was found). And for now, in 2010,
after 12 years we have such situation, that 80-90% of web sites in
Internet have XSS holes. Than it's quite possible that nothing will
greatly change in next 10 years (CSP will need to pass a long way before
it'll spread enough).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: Schmidt, Chris
To: MaXe ; MustLive
Cc: websecurity at webappsec.org
Sent: Monday, January 25, 2010 8:22 AM
Subject: RE: [WEB SECURITY] The future of XSS attacks


I would like to take this opportunity to point everyone at the latest
installment of ESAPI4JS along with some reference material on using it,
specifically using it to mitigate DOM Based XSS attacks (without relying
on
browser plugins)

http://yet-another-dev.blogspot.com/2010/01/esapi4js-v013-now-available.
html

The changelog for 0.1.3 follows:

version 0.1.3 (01/23/2010)

General
More updates to distribution
Cleaned up subversion repository
Updated subversion to allow online testing

Validation
Implemented i18n support for error messaging

Logging
Fixed overwrite bug in Logging configuration

Internationalization
Created ObjectResourceBundle?
Moved messaging to a external resource file
Add configuration options to ESAPI Config

HTTPUtils
Implemented Cookie-Jar Management
Implemented function to get parameters from a GET request

~ beef



-----Original Message-----
From: MaXe [mailto:owasp at intern0t.net]
Sent: Sat 1/23/2010 6:19 AM
To: MustLive
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] The future of XSS attacks

MustLive wrote:
> Hello participants of Mailing List.
>
> Yesterday I wrote English version of my article The future of XSS
attacks
> (http://websecurity.com.ua/3878/), which you can read if you
> interested in
> this topic.
>
> In the article I talked about Cross-Site Scripting attacks where it's
> not possible to use any tags and angle brackets. I listed attack
> vectors which can be used in this case (automated and non-automated).
> And wrote about current situation with modern browsers: in 2008 in
> Firefox 3 possibility of attack via -moz-binding was removed (partly)
> and in IE 8, which released at beginning of 2009, support of
> expression() was removed.
>
> So I proposed my cross-browser solution for conducting of automated
XSS
> attacks in such conditions (when it's not possible to use any tags and
> angle
> brackets) - with using of MouseOverJacking technique, which I already
> wrote
> about (http://websecurity.com.ua/3814/).
>
> You can read the article The future of XSS attacks at my site:
> http://websecurity.com.ua/3878/
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list