Hosting Provided By

RE: Detecting cross-site scripting attacks

This message: [ Message body ] [ More options ]
Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] [ Next in thread ] [ Replies ]

From: Harbar, Spencer <spencer.harbar(at)dns.co.uk>
Date: Wed May 14 2003 - 04:57:59 EDT

The majority of application firewall products only detect and block what 'could' be an attack.

They do so by examining the HTTP request for dangerous constructs, such as <SCRIPT> tags etc.
This is also simple to do within an application itself by using regular expressions or even something as nasty as an InStr function in VB. Also, application platforms, such as ASP.NET v1.1 have this functionality built in (Request Validation).

However, the problem lies in the fact that these 'solutions' require an exception list of some form.

It is very common, even if bad form, for an application to allow the posting of HTML tags (say a bulletin board). In the ASP.NET request validation scenario, the server will throw an exception.
To get the desired application functionality, the request validation needs disabled.

The better Application Firewalls enable a fine granularity of control (e.g. which form fields to validate, and to what extent) with a few allowing additions/exceptions to the block list.

The bottom line is even with an application firewall, you should protect against XSS in the application itself by implementing robust validation techniques.

The hands down best treatment of XSS is in Writing Secure Code Second Edition by Michael Howard and David LeBlanc.

hth
spence

Do you need help?

-----Original Message-----
From: Cedar Moore [mailto:cedar1420@yahoo.com] Sent: 13 May 2003 18:32
To: webappsec@securityfocus.com

I am new to web application security, a lot of layer 7 application

security products detect cross-site scripting attacks (ex: sanctum

appshield). How these products do? There is lot of information about cross-

site scripting attacks but I did not came across how these web application

attacks can be detected. Is there any white paper there out explaining the

generic detection methods?

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and then delete from your system.

This footnote also confirms that this email message has been swept for the presence of known computer viruses.

Received on Wed May 14 08:20:27 2003

Do you need more help?

This message: [ Message body ]
Next message: Mark Curphey: "WAS-XML"
Previous message: roshen.chandran(at)paladion.net: "RE: Detecting cross-site scripting attacks"
Maybe in reply to: Cedar Moore: "Detecting cross-site scripting attacks"
Next in thread: Cedar Moore: "Re: Detecting cross-site scripting attacks"
Reply: Cedar Moore: "Re: Detecting cross-site scripting attacks"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT