Welcome to WebmasterWorld Guest from 23.22.46.195

Forum Moderators: open

Protection for Cross Site Scripting hackers (XSS)

JavaScript Solution?

   
7:51 pm on May 8, 2003 (gmt 0)

10+ Year Member



There has been more and more reports of XSS or Cross Site Scripting hackers. Kinda suprised it's not covered more in this forum. I am trying to protect some forms that I have and needed some help.

I have a validation script that I would like to strip any metacharacter within the form input. This way it will prevent some XSS, Can anyone help?

Thanks ahead,

Abstract

8:01 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi abstractj,

I'm not sure how JavaScript can be used to prevent an XSS vulnerability.

JavaScript form validation or content encoding can only be regarded as "may have been performed" by any server side process.

Can you provide any more details?

8:11 pm on May 8, 2003 (gmt 0)

10+ Year Member



Well, I am not 100% familar with XSS. But, by using JavaScript to weed out the metacharacters such as < > or " ' in a form input, it will elimate some less knowledgeable hackers.

I realize I probably will have to write some Perl code to the backend as well... but it's a start for now.

8:40 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi,

I would strongly recommend concentrating your efforts on protection against "knowledgeable hackers" - and for this you must validate your input server side.

This will take care of the less "knowledgeable hackers" as a matter of course.

8:43 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If anyone is knowledgable enough to use certain characters in an attempt to break your code, then they are also knowledgable enough to know how to disable JavaScript in their browser.

Bottom line - you cannot rely on client side security at all! Besides, what prevents anyone from submitting information from a bogus form?

8:50 pm on May 8, 2003 (gmt 0)

10+ Year Member



What are some solutions as far as server side? by using the CPAN modules to remove html tags from input?

I would like to hear some suggestions.

Thanks.

9:12 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi Again,

Have a look at the following page on the Apache website regarding CSS (cross-site-scripting). It has example code in PHP and Perl...

[httpd.apache.org...]

9:14 pm on May 8, 2003 (gmt 0)

10+ Year Member



Thanks D for answering my question. My hosting is not running on Apache rahter Netscape Enterprise Server or NES... Thanks for the link.

Abstract

9:15 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



No problem!

That page should help - the Perl code is certainly generic.

9:15 pm on May 8, 2003 (gmt 0)

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Don't try to figure out which characters to remove. Instead, decide which characters are allowed, and remove all that aren't allowed.

If you try to remove certain characters, you will most likely miss some.

9:18 pm on May 8, 2003 (gmt 0)

10+ Year Member



Nevermind spoke too soon. Thanks for the info.
9:20 pm on May 8, 2003 (gmt 0)

10+ Year Member



good point doc. now, i have to hit the perl cook book...
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month