WebApp Sec mailing list archives

RE: Fixing XSS Vulns

From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Mon, 15 Aug 2005 09:42:40 +0200


wilsonc wrote:

I'm not a security expert, but I did some googling and found
that the standard procedure is basically to "encode" the string
before displaying it to the user


There is one issue I'd like to add to the already advanced discussion:

Other than widely assumed, the most critical XSS vulnerabilities are *NOT* in
HTML text that is readable to the user. Make sure that you also secure all
dynamic echo of non-visible elements. This is where most Web developers
forget to implement security mechanisms. 

I'm talking about

- dynamic URLs/HREFs that include any kind of 
  externally modifieable input 
  (e.g. index numbers, keys, string elements)

- hidden fields that contain any kind of
  externally modifieable input
  (e.g. last search term, basket index, etc.)

- any kind of externally modifieable input that
  shows up ANYWHERE in javascript

- and there's a lot more... ;-)

Please make sure that you do not only take visible HTML echoes into account
but all possible HTML source echoes. An attacker analyzes all HTML source
output for possible echoes, not just what he sees. And there are by far more
out there than of the visible ones.

Best regards

Cyrill Osterwalder

Chief Technology Officer
Seclutions AG

http://www.seclutions.com

Current thread:

Fixing XSS Vulns wilsonc (Aug 12)
- Re: Fixing XSS Vulns Petko Petkov (Aug 12)
- Re: Fixing XSS Vulns RSnake (Aug 12)
- Re: Fixing XSS Vulns Tim (Aug 12)
- Re: Fixing XSS Vulns Stephen de Vries (Aug 12)
- RE: Fixing XSS Vulns yeesan wong (Aug 14)
- <Possible follow-ups>
- RE: Fixing XSS Vulns Smith, Johnathon (KEYPEOPLE RESOURCES INC) (Aug 12)
- Re: Fixing XSS Vulns Steven M. Christey (Aug 12)
  - Re: Fixing XSS Vulns Tim (Aug 13)
- RE: Fixing XSS Vulns Jeff Robertson (Aug 12)
- RE: Fixing XSS Vulns Cyrill Osterwalder (Aug 15)