Thanks Michael - that helps clear things up for me. B On Feb 8, 2008, at 8:40 AM, Michael Peters wrote:
Barry Moore wrote:Basically one version of an XSS attack would be for me to enter javascript code into a form on your web page. Then if you include myform submission in other web pages then my javascript could execute onany other users machine that subsequently loaded those tainted pages.My JS code could do anything that they could do including contact your server on behalf of them and send data back to my server. Is this correct?Yes. This is what XSS means. There are variations on this, but it's basciallythe same thing.Then the rational for you to html escape any input that comes from me and any other user is because that escaping would render the JS code in-operable. Is that correct?Yes. Imagine you have a form that asks me a survey question and I enter my name as:Michael <script>alert("p0wnd!")</script> Peters.Then you log into the admin side of you application and see my survey result. You will get p0wnd. Now imagine that I instead of doing a simple alert() I inserted a <script> tag that pulls in some JS from my own server which adds some helpful (to me, not you) methods into your page that makes it really easy for me to get your cookie information and then sends it back to my server. Now I canlog in to your admin side and do whatever I want.So then is is safe to assume that if the data from your form never getssent back to other users (i.e. it only gets analyzed by your server - such as a search form) or if you check for JS code in some other way, then that would also prevent this form of XSS?No. Imagine this scenario: I use your search form and input some malicious Javascript. Now I can steal my own information. Not really useful... yet. Icreate a URL that will take me to that results page. Something likehttp://coolsite.com/search?term=%3Cscript%3Ealert(%22p0wnd!%22)%3C% 2Fscript%3E and I post it in some forum or email group (like this one) and people click onit. Now I have their information. -- Michael Peters Developer Plus Three, LP ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.