teamsiems » tpr5 http://teamsiems.com A team of Siems making observations Thu, 02 Feb 2012 15:59:31 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Cross-site Scripting: What Is It, and How Can You Protect Your Site from Becoming a Victim? http://teamsiems.com/2009/10/cross-site-scripting-what-is-it-and-how-can-you-protect-your-site-from-becoming-a-victim/ http://teamsiems.com/2009/10/cross-site-scripting-what-is-it-and-how-can-you-protect-your-site-from-becoming-a-victim/#comments Thu, 08 Oct 2009 14:22:13 +0000 Chris http://teamsiems.com/?p=636 Continue reading ]]> Paul Gilzow
Programmer/Analyst-Expert, University of Missouri

twitter: gilzow

October 7

(This was Winner of Best of Track TPR)

Presentation http://2009.highedweb.org/presentations/TPR5.zip

or local copy Cross-site Scripting: What Is It, and How Can You Protect Your Site from Becoming a Victim?

Same Origin policy: 1 page in 1 tab can’t interact with other page in another tab.

Injection attack: accept exploits the trust for a site

Education sites are the worst for xss.

URL Shorteners are bad: need to be locked down in edu

Three main types:

  1. non-presistent/reflective – most common, relies on social engineering (GET data)
  2. persistent/stored – web forums, social media sites (POST data)
  3. local – less likely but dangerous (html files on your desktop)

Try

” ‘ < abx >

The People directory “search” is not google and thus another company (in house) makes the search – more vulnerable.

How to protect:

Be paranoid. Trust no one. Layers, layers, layers.

Input filtering

Input validation

Output encoding

Intrusion detection system

PHPIDS

Tidy the output

HTML Purifier

AntiSamy

www.xssed.com

No Script plugin for Firefox.

Look at phped for php editing.

]]> http://teamsiems.com/2009/10/cross-site-scripting-what-is-it-and-how-can-you-protect-your-site-from-becoming-a-victim/feed/ 0