Chapter 13
Web-Specific Input Issues
It's now time to turn our attention to what is potentially the most hostile of all environments: the Web. In this chapter, I'll focus on making sure that applications that use the Web as a transport mechanism are safe from attack. I'm assuming you've read Chapter 10, All Input Is Evil! and Chapter 11, Canonical Representation Issues, before reading this, and if you use a database as part of your Web-based application, you should also read Chapter 12, Database Input Issues.
Virtually all Web applications perform some action based on user requests. Let's be honest: a Web-based service that doesn't take user input is probably worthless! Remember that you should determine what data is valid and reject all other input. I know I sound like a broken record, but data verification is probably the most important discipline to understand when building secure applications.
In this chapter, I'll focus on cross-site scripting issues (mainly because they are so prevalent) and HTTP trust issues and I'll offer an explanation of which threats that Secure Sockets Layer (SSL) and Transport Layer Security (TLS) help to resolve. So let's get started with the attack du jour: cross-site scripting.