WebApp Sec mailing list archives

RE: Detecting cross-site scripting attacks

From: "Harbar, Spencer" <spencer.harbar () dns co uk>
Date: Wed, 14 May 2003 09:57:59 +0100

The majority of application firewall products only detect and block what
'could' be an attack.
 
They do so by examining the HTTP request for dangerous constructs, such
as <SCRIPT> tags etc.
This is also simple to do within an application itself by using regular
expressions or even something as nasty as an InStr function in VB. 
Also, application platforms, such as ASP.NET v1.1 have this
functionality built in (Request Validation).
 
However, the problem lies in the fact that these 'solutions' require an
exception list of some form.
 
It is very common, even if bad form, for an application to allow the
posting of HTML tags (say a bulletin board).
In the ASP.NET request validation scenario, the server will throw an
exception.
To get the desired application functionality, the request validation
needs disabled.
 
The better Application Firewalls enable a fine granularity of control
(e.g. which form fields to validate, and to what extent) with a few
allowing additions/exceptions to the block list.
 
The bottom line is even with an application firewall, you should protect
against XSS in the application itself by implementing robust validation
techniques.
 
The hands down best treatment of XSS is in Writing Secure Code Second
Edition by Michael Howard and David LeBlanc.
 
hth
spence 


-----Original Message-----
From: Cedar Moore [mailto:cedar1420 () yahoo com] 
Sent: 13 May 2003 18:32
To: webappsec () securityfocus com



I am new to web application security, a lot of layer 7 application 

security products detect cross-site scripting attacks (ex: sanctum 

appshield). How these products do? There is lot of information about
cross-

site scripting attacks but I did not came across how these web
application 

attacks can be detected. Is there any white paper there out explaining
the 

generic detection methods? 








**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.  

This footnote also confirms that this email message has been swept 
for the presence of known computer viruses.

**********************************************************************

Current thread:

Detecting cross-site scripting attacks Cedar Moore (May 13)
- RE: Detecting cross-site scripting attacks roshen.chandran (May 14)
- <Possible follow-ups>
- RE: Detecting cross-site scripting attacks Harbar, Spencer (May 14)
- Re: Detecting cross-site scripting attacks Cedar Moore (May 14)
  - RE: Detecting cross-site scripting attacks Vinny Bedus (May 14)
- RE: Detecting cross-site scripting attacks Calderon, Juan C (CORP, DDEMESIS) (May 14)