How to prevent cross-site scripting?

#1 August 16th, 2006, 10:45 PM

I've been informed of a cross-site scripting vulnerability.
Given the example of this exploit below, how to you prevent
this from being passed to the perl cgi script myscript.cgi?
Normally the script would be called with only:

http://www.somedomain.com:/cgi-bin/myscript.cgi

This is how myscript.cgi is exploited:

http://www.somedomain.com:/cgi-bin/myscript.cgi/(PostData)submit=Submit&type=1.7&solve_for=%22%3e% 3cscript%3ealert('spid')%3c%2fscript%3e

Or an exploit using javascript:

http://b0iler.com/script.cgi?display=<script
type=text/javascript>alert('hello');</script>

-Thanks

#2 August 16th, 2006, 11:15 PM

somebody said the following on 8/16/2006 6:54 PM:

Quote:

I've been informed of a cross-site scripting vulnerability.
Given the example of this exploit below, how to you prevent
this from being passed to the perl cgi script myscript.cgi?
Normally the script would be called with only:
>
http://www.somedomain.com:/cgi-bin/myscript.cgi
>
>
This is how myscript.cgi is exploited:
>
http://www.somedomain.com:/cgi-bin/myscript.cgi/(PostData)submit=Submit&type=1.7&solve_for=%22%3e% 3cscript%3ealert('spid')%3c%2fscript%3e

Then have myscript.cgi check for that scenario and reject it. The answer
doesn't lie with JS, it lies with securing your server side code against
that attack. And, it doesn't take JS to exploit that, it only takes the
knowledge of the vulnerability to exploit it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

#3 August 17th, 2006, 01:05 AM

somebody wrote:

Quote:

I've been informed of a cross-site scripting vulnerability.
Given the example of this exploit below, how to you prevent
this from being passed to the perl cgi script myscript.cgi?

You can't keep it from passed to your server; someone could simply
type the attack into the browser address bar, for example. This is not
a Javascript issue, it's a server issue...

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps: http://ha.ckers.org/xss.html

Note that an XSS attack won't work if you don't blindly echo back an
input !! In other words, if your URL looks like, say:

http://math.com/add_two_numbers.asp?x=1&y=2

and adds x + y together and returns just the result without echoing x
or y, then no attack is possible.

Kev

#4 August 17th, 2006, 03:25 AM

Kevin Darling wrote:

Quote:

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps: http://ha.ckers.org/xss.html

Woof. Never write with a four-year-old on your lap. Makes you rush
too much :-)

You should at least also filter out characters like &[ ] / \ ;
because these can, in addition to the < () " ' mentioned already, be
used to create XSS attack scripts.

Kev

How to prevent cross-site scripting?

Popular Articles

What is Bytes?