homepage Welcome to WebmasterWorld Guest from 54.166.255.168
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Protection for Cross Site Scripting hackers (XSS)
JavaScript Solution?
abstractj

10+ Year Member



 
Msg#: 397 posted 7:51 pm on May 8, 2003 (gmt 0)

There has been more and more reports of XSS or Cross Site Scripting hackers. Kinda suprised it's not covered more in this forum. I am trying to protect some forms that I have and needed some help.

I have a validation script that I would like to strip any metacharacter within the form input. This way it will prevent some XSS, Can anyone help?

Thanks ahead,

Abstract

 

dmorison

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 397 posted 8:01 pm on May 8, 2003 (gmt 0)

Hi abstractj,

I'm not sure how JavaScript can be used to prevent an XSS vulnerability.

JavaScript form validation or content encoding can only be regarded as "may have been performed" by any server side process.

Can you provide any more details?

abstractj

10+ Year Member



 
Msg#: 397 posted 8:11 pm on May 8, 2003 (gmt 0)

Well, I am not 100% familar with XSS. But, by using JavaScript to weed out the metacharacters such as < > or " ' in a form input, it will elimate some less knowledgeable hackers.

I realize I probably will have to write some Perl code to the backend as well... but it's a start for now.

dmorison

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 397 posted 8:40 pm on May 8, 2003 (gmt 0)

Hi,

I would strongly recommend concentrating your efforts on protection against "knowledgeable hackers" - and for this you must validate your input server side.

This will take care of the less "knowledgeable hackers" as a matter of course.

DrDoc

WebmasterWorld Senior Member drdoc us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 397 posted 8:43 pm on May 8, 2003 (gmt 0)

If anyone is knowledgable enough to use certain characters in an attempt to break your code, then they are also knowledgable enough to know how to disable JavaScript in their browser.

Bottom line - you cannot rely on client side security at all! Besides, what prevents anyone from submitting information from a bogus form?

abstractj

10+ Year Member



 
Msg#: 397 posted 8:50 pm on May 8, 2003 (gmt 0)

What are some solutions as far as server side? by using the CPAN modules to remove html tags from input?

I would like to hear some suggestions.

Thanks.

dmorison

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 397 posted 9:12 pm on May 8, 2003 (gmt 0)

Hi Again,

Have a look at the following page on the Apache website regarding CSS (cross-site-scripting). It has example code in PHP and Perl...

[httpd.apache.org...]

abstractj

10+ Year Member



 
Msg#: 397 posted 9:14 pm on May 8, 2003 (gmt 0)

Thanks D for answering my question. My hosting is not running on Apache rahter Netscape Enterprise Server or NES... Thanks for the link.

Abstract

dmorison

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 397 posted 9:15 pm on May 8, 2003 (gmt 0)

No problem!

That page should help - the Perl code is certainly generic.

DrDoc

WebmasterWorld Senior Member drdoc us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 397 posted 9:15 pm on May 8, 2003 (gmt 0)

Don't try to figure out which characters to remove. Instead, decide which characters are allowed, and remove all that aren't allowed.

If you try to remove certain characters, you will most likely miss some.

abstractj

10+ Year Member



 
Msg#: 397 posted 9:18 pm on May 8, 2003 (gmt 0)

Nevermind spoke too soon. Thanks for the info.

abstractj

10+ Year Member



 
Msg#: 397 posted 9:20 pm on May 8, 2003 (gmt 0)

good point doc. now, i have to hit the perl cook book...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved