Extra Defensive Measures

You can add many other defensive mechanisms to your web server application code in case you miss an XSS bug. They include the following:

• Adding the httponly option to your cookies. This helps Internet Explorer 6.0  (and later) users because a cookie marked this way cannot be read using document.cookie. Refer to the Other Resources section for more information. ASP.NET 2.0 adds HttpCookie.HttpOnly to help set this.

• Wrapping double quotes around tag properties based on input. Rather than <img src=someinput>, use <img src=someinput>. This helps foil some attacks that can bypass HTML encoding, and is explained in Writing Secure Code, Second Edition by Michael Howard and David C. LeBlanc (Microsoft Press, 2002), p. 422.

• If you use ASP.NET, make sure the ValidateRequest configuration is enabled.
  It is enabled by default, but double check. This option will fail requests and responses that contain invalid characters . Its not failsafe, but its a good defense. Refer to the Other Resources section for more information.

• Apaches mod_perl offers Apache::TaintRequest to help detect when input becomes output without being validated first. Refer to the Other Resources section for more information.

• Microsofts UrlScan for Internet Information Server 5.0 helps detect and reject many classes of XSS vulnerabilities in your web application code.

  Note	UrlScan is not needed with Internet Information Server 6.0 (IIS6) because IIS6 has similar functionality built in. Refer to the Other Resources section for more information.