Re: Cross Site Scripting (XSS) issues with Struts 1.1-b2?

Mon, 09 Sep 2002 20:03:55 -0700 

At 09:29 PM 9/8/2002 -0700, you wrote:
>If you are not familiar with what I mean by cross site scripting (XSS), here
>are two links with information about it:
>
>    http://www.cgisecurity.com/articles/xss-faq.shtml
>
>    http://www.cert.org/advisories/CA-2000-02.html
>
>According to the first FAQ above, some of the things that should be done to
>protect your web application are:
>
>     "Never trust user input and always filter metacharacters. This will
>eliminate the majority of XSS attacks. Converting < and > to &lt; and &gt;
>is also suggested when it comes to script output. Remember XSS holes can be
>damaging and costly to your business if abused. Often attackers will
>disclose these holes to the public, which can erode customer and public
>confidence in the security and privacy of your organization's site.
>Filtering < and > alone will not solve all cross site scripting attacks and
>it is suggested you also attempt to filter out ( and ) by translating them
>to &#40; and &#41;, and also # and & by translating them to &#35 (#) and
>&#38 (&)."

Mike,

I've studied this a bit when I made a XSS filter for Expresso, and came 
across the following situations.

-I could never get browsers to properly render: #, (, ), and '  so I ended 
up having to bail on having them replaced with the appropriate character 
entity.  If somebody has a way of getting it to work, I'd really appreciate 
hearing what they said.  I DID get double quotes properly filtered.

-You don't ALWAYS want to filter the input parameters.  If for example, the 
company name in a registration app was Mike & Ike, Inc.  You'd want to 
write to the underlying database "Mike & Ike, Inc.", NOT "Mike &amp; Ike, 
Inc."  The reason is simple, if you read the database with a non-web 
browser application, then the data may be messed up.

-However You DO want to filter the data you are sending to the browser.  In 
this case, you DO want the company name to be rendered "Mike & Ike, Inc." 
in most cases.

So in this case, Struts does a reasonable job of transforming the 
output.  I made the mistake in my own design of filtering all data read 
from a data source... which worked nice and transparently to the user, but 
may cause problems if you want to read and send the data through, for 
example, a web service instead of a jsp page.

Hope this clarifies the issue.  Granted there has been very little 
attention to XSS, which causes many people to write vulnerable 
applications.  I appreciate you piping up asking questions about it.

                                                 -Mike


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to