homepage Welcome to WebmasterWorld Guest from 54.198.42.105
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Protection for Cross Site Scripting hackers (XSS)
JavaScript Solution?
abstractj




msg:1473430
 7:51 pm on May 8, 2003 (gmt 0)

There has been more and more reports of XSS or Cross Site Scripting hackers. Kinda suprised it's not covered more in this forum. I am trying to protect some forms that I have and needed some help.

I have a validation script that I would like to strip any metacharacter within the form input. This way it will prevent some XSS, Can anyone help?

Thanks ahead,

Abstract

 

dmorison




msg:1473431
 8:01 pm on May 8, 2003 (gmt 0)

Hi abstractj,

I'm not sure how JavaScript can be used to prevent an XSS vulnerability.

JavaScript form validation or content encoding can only be regarded as "may have been performed" by any server side process.

Can you provide any more details?

abstractj




msg:1473432
 8:11 pm on May 8, 2003 (gmt 0)

Well, I am not 100% familar with XSS. But, by using JavaScript to weed out the metacharacters such as < > or " ' in a form input, it will elimate some less knowledgeable hackers.

I realize I probably will have to write some Perl code to the backend as well... but it's a start for now.

dmorison




msg:1473433
 8:40 pm on May 8, 2003 (gmt 0)

Hi,

I would strongly recommend concentrating your efforts on protection against "knowledgeable hackers" - and for this you must validate your input server side.

This will take care of the less "knowledgeable hackers" as a matter of course.

DrDoc




msg:1473434
 8:43 pm on May 8, 2003 (gmt 0)

If anyone is knowledgable enough to use certain characters in an attempt to break your code, then they are also knowledgable enough to know how to disable JavaScript in their browser.

Bottom line - you cannot rely on client side security at all! Besides, what prevents anyone from submitting information from a bogus form?

abstractj




msg:1473435
 8:50 pm on May 8, 2003 (gmt 0)

What are some solutions as far as server side? by using the CPAN modules to remove html tags from input?

I would like to hear some suggestions.

Thanks.

dmorison




msg:1473436
 9:12 pm on May 8, 2003 (gmt 0)

Hi Again,

Have a look at the following page on the Apache website regarding CSS (cross-site-scripting). It has example code in PHP and Perl...

[httpd.apache.org...]

abstractj




msg:1473437
 9:14 pm on May 8, 2003 (gmt 0)

Thanks D for answering my question. My hosting is not running on Apache rahter Netscape Enterprise Server or NES... Thanks for the link.

Abstract

dmorison




msg:1473438
 9:15 pm on May 8, 2003 (gmt 0)

No problem!

That page should help - the Perl code is certainly generic.

DrDoc




msg:1473439
 9:15 pm on May 8, 2003 (gmt 0)

Don't try to figure out which characters to remove. Instead, decide which characters are allowed, and remove all that aren't allowed.

If you try to remove certain characters, you will most likely miss some.

abstractj




msg:1473440
 9:18 pm on May 8, 2003 (gmt 0)

Nevermind spoke too soon. Thanks for the info.

abstractj




msg:1473441
 9:20 pm on May 8, 2003 (gmt 0)

good point doc. now, i have to hit the perl cook book...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved