Protection for Cross Site Scripting hackers (XSS)

Forum Moderators: open

Message Too Old, No Replies

Protection for Cross Site Scripting hackers (XSS)

JavaScript Solution?

abstractj

7:51 pm on May 8, 2003 (gmt 0)

There has been more and more reports of XSS or Cross Site Scripting hackers. Kinda suprised it's not covered more in this forum. I am trying to protect some forms that I have and needed some help.

I have a validation script that I would like to strip any metacharacter within the form input. This way it will prevent some XSS, Can anyone help?

Thanks ahead,

Abstract

dmorison

8:01 pm on May 8, 2003 (gmt 0)

Hi abstractj,

I'm not sure how JavaScript can be used to prevent an XSS vulnerability.

JavaScript form validation or content encoding can only be regarded as "may have been performed" by any server side process.

Can you provide any more details?

abstractj

8:11 pm on May 8, 2003 (gmt 0)

Well, I am not 100% familar with XSS. But, by using JavaScript to weed out the metacharacters such as < > or " ' in a form input, it will elimate some less knowledgeable hackers.

I realize I probably will have to write some Perl code to the backend as well... but it's a start for now.

dmorison

8:40 pm on May 8, 2003 (gmt 0)

Hi,

I would strongly recommend concentrating your efforts on protection against "knowledgeable hackers" - and for this you must validate your input server side.

This will take care of the less "knowledgeable hackers" as a matter of course.

DrDoc

8:43 pm on May 8, 2003 (gmt 0)

If anyone is knowledgable enough to use certain characters in an attempt to break your code, then they are also knowledgable enough to know how to disable JavaScript in their browser.

Bottom line - you cannot rely on client side security at all! Besides, what prevents anyone from submitting information from a bogus form?

abstractj

8:50 pm on May 8, 2003 (gmt 0)

What are some solutions as far as server side? by using the CPAN modules to remove html tags from input?

I would like to hear some suggestions.

Thanks.

dmorison

9:12 pm on May 8, 2003 (gmt 0)

Hi Again,

Have a look at the following page on the Apache website regarding CSS (cross-site-scripting). It has example code in PHP and Perl...

[httpd.apache.org...]

abstractj

9:14 pm on May 8, 2003 (gmt 0)

Thanks D for answering my question. My hosting is not running on Apache rahter Netscape Enterprise Server or NES... Thanks for the link.

Abstract

dmorison

9:15 pm on May 8, 2003 (gmt 0)

No problem!

That page should help - the Perl code is certainly generic.

DrDoc

9:15 pm on May 8, 2003 (gmt 0)

Don't try to figure out which characters to remove. Instead, decide which characters are allowed, and remove all that aren't allowed.

If you try to remove certain characters, you will most likely miss some.

abstractj

9:18 pm on May 8, 2003 (gmt 0)

Nevermind spoke too soon. Thanks for the info.

abstractj

9:20 pm on May 8, 2003 (gmt 0)

good point doc. now, i have to hit the perl cook book...