How to Review Code for XSS Bugs

How to Review Code for XSS Bugs

Here's a simple four-step program for getting out of XSS issues:

  1. Write down all the entry points to your Web application. Remember that this includes fields in forms, querystrings, HTTP headers, cookies, and data from databases.

  2. Trace each datum as it flows through the application.

  3. Determine whether the datum is ever reflected to output.

  4. If it is reflected to output, is it clean and sanitized?

And obviously, if you find an uninspected datum that is echoed you should pass it through a regular expression or some other sanity-checking code that looks for good things (not bad things) and then encode the output if you have any doubts. If your regular expression fails to confirm the validity of the data, you should dispose of the request.

You should also review error message pages they have proved a target-rich environment in the past.

Finally, pay special attention to client code that uses innerHTML and document.write.

More Info
Another example of the don't trust user input Web-based attack is the HTML Form Protocol Attack, which sends arbitrary data to another server by using the Web server as an attack vector. A paper outlining this attack is at http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.



Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net