Jmp Start

…where the Geek shall Inherit the Word

Posts Tagged ‘XSS’

Sanitize user input

Posted by CKret on September 30, 2009

Today our local newspaper opened their brand new website to the public with every kind of publicity stunt you can think of.

“The new site is so much better then the old one.”
“We’ve got Web 2.0 functionality!”
are some of the sentences flying all over the place.

So I thought I’d check it out to see what all the fuzz is about. To my surprise I found a meager looking site with some performance issues. “It’s day one, maybe a lot of visitors”, I thought to myself. Eager to check out the community functionality I created an account. When I added information to my profile it hit me: “Why don’t I do a small penetration test on the site.”

Said and done I started with some simple XSS (Cross Site Scripting) attacks. First ones failed and the website seemed to be well protected. But then suddenly I struck gold.

They seemed to have some protection but it was not nearly as complete as they thought. From the launch of the site to a successfull XSS attack it took just minutes. This was, as their project manager put it, “Embarrassing”. I immediately contacted the site administrators about this and eventually got a reply stating my “attack” had given them a lot of problems with their administration interface. After a few emails back and forth they successfully fixed the security flaw. Well, atleast for that particular threat.

What can we learn from this?

Always sanitize user input correctly. There are guidlines and APIs to help you along. A couple of particularly good APIs are OWASPs AntiSamy and Microsofts AntiXSS. There is no need to use proprietary solutions when exisiting free open source solutions have been proven to be atleast as effective.

Advertisements

Posted in Security | Tagged: , | Leave a Comment »