Show Some Respect to Cross-Site Scripting

[article]

At this point you should be thinking about XSS less like Rodney Dangerfield and more like Don Corleone: a powerful and dangerous person who deserves your respect! How can you find XSS vulnerabilities in your code and, more importantly, how can you fix them? The underlying programming error that leads to XSS vulnerabilities involves displaying user input without first correctly validating and encoding that input. If you ever echo users' input back to them (for example: "Your search for 'foo' returned 1337 results") or store users' input and display it to other users (for example, if your site includes a wiki or a message board), then that code may be vulnerable to XSS. Search out conditions like this in your source code and then ensure that this functionality is secure against XSS by encoding it with the appropriate encoding algorithm. For example, if the user input will be rendered in the page as HTML, then perform HTML encoding on the input text before that text is echoed in the response. This will cause malicious input text like  ""to be encoded as ""which will render in the browser as the text "" and not be interpreted as a script command. Similarly, if the user input will be rendered in the page as a URL (for example, as the href attribute of an  element), you should then apply URL encoding (and, subsequently, HTML encoding) on the input text. A complete list of possible output formats and corresponding encoding types is beyond the scope of this article, as are methods for dealing with situations where you might want to allow the user to input HTML or script. However, there are some excellent additional resources available that detail these solutions (see resources listed below).

References

1) Microsoft Developer Network

2) Open Web Application Security Project (OWASP)

Tags: 

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Oct 12
Oct 15
Nov 09
Nov 09