WebApp Sec mailing list archives
RE: Detecting cross-site scripting attacks
From: "Harbar, Spencer" <spencer.harbar () dns co uk>
Date: Wed, 14 May 2003 09:57:59 +0100
The majority of application firewall products only detect and block what 'could' be an attack. They do so by examining the HTTP request for dangerous constructs, such as <SCRIPT> tags etc. This is also simple to do within an application itself by using regular expressions or even something as nasty as an InStr function in VB. Also, application platforms, such as ASP.NET v1.1 have this functionality built in (Request Validation). However, the problem lies in the fact that these 'solutions' require an exception list of some form. It is very common, even if bad form, for an application to allow the posting of HTML tags (say a bulletin board). In the ASP.NET request validation scenario, the server will throw an exception. To get the desired application functionality, the request validation needs disabled. The better Application Firewalls enable a fine granularity of control (e.g. which form fields to validate, and to what extent) with a few allowing additions/exceptions to the block list. The bottom line is even with an application firewall, you should protect against XSS in the application itself by implementing robust validation techniques. The hands down best treatment of XSS is in Writing Secure Code Second Edition by Michael Howard and David LeBlanc. hth spence -----Original Message----- From: Cedar Moore [mailto:cedar1420 () yahoo com] Sent: 13 May 2003 18:32 To: webappsec () securityfocus com I am new to web application security, a lot of layer 7 application security products detect cross-site scripting attacks (ex: sanctum appshield). How these products do? There is lot of information about cross- site scripting attacks but I did not came across how these web application attacks can be detected. Is there any white paper there out explaining the generic detection methods? ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and then delete from your system. This footnote also confirms that this email message has been swept for the presence of known computer viruses. **********************************************************************
Current thread:
- Detecting cross-site scripting attacks Cedar Moore (May 13)
- RE: Detecting cross-site scripting attacks roshen.chandran (May 14)
- <Possible follow-ups>
- RE: Detecting cross-site scripting attacks Harbar, Spencer (May 14)
- Re: Detecting cross-site scripting attacks Cedar Moore (May 14)
- RE: Detecting cross-site scripting attacks Vinny Bedus (May 14)
- RE: Detecting cross-site scripting attacks Calderon, Juan C (CORP, DDEMESIS) (May 14)