
	Home > Software Quality Tips > > Deal with cross-site scripting

Software Quality Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

Deal with cross-site scripting

Mike Chapple, CISSP
09.16.2005
Rating: --- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

Cross-site scripting is a serious security issue facing Web developers. This exploit allows malicious Web site operators to abuse the trust relationships Web users have with unrelated third-party sites and execute arbitrary scripting code on an end user's system.

The easiest way to describe cross-site scripting is with an example. Suppose that Mal, the operator of www.malicious.com decides to take advantage of this vulnerability to affect users from Acme Widgets. Mal knows that Acme operates an intranet site that hosts a feedback form at www.feedback.acme/form.htm. This form processes user feedback and displays a confirmation page thanking the user for their submission and displaying the data that was entered on the page. Mal also knows that users within Acme have the www.feedback.acme site listed as a trusted site, while his site www.malicious.com is an untrusted site.

To implement the attack, Mal places a hyperlink on his site labeled "Free Beer, Click Here!" (or whatever) and codes it to submit data to the Web page that processes input from www.feedback.acme/form.htm. In the feedback field, he enters the message "Thanks for everything."

When the user clicks the "Free Beer, Click Here!" link, he or she unintentionally submits the form to the trusted site, resulting in their...

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Threat modeling
	Web application security and the PCI DSS
	The essentials of Web application threat modeling
	How to implement security in Java EE and Java ME
	Application security shouldn't involve duct tape, Band-Aids or bubble gum
	Stop SQL injection attacks on applications
	How to counter XSS attacks
	Breaking the same origin barrier of JavaScript
	Protection against "zero-minute" exploits
	Denial of service and Ajax
	CSRF attack vector with Ajax serialization

Software security testing and techniques

Web server weaknesses you don't want to overlook

Using firewalls for software testing: Pros and cons

Beating software's cross-site scripting, authentication problems

Free Web proxy security tools software testers should get to know

How to get management on board with Web 2.0 security issues

Web application security best practices: Tips on implementation

Testing strategies for complex environments

How to make your software tamperproof

Ways to approach application performance testing on a tight budget

How can I tell if my software security has been breached?

Building security into the SDLC (Software development life cycle)

Problems caused by skipping analysis stage of SDLC

Inexpensive phase of SDLC to catch and fix bugs

GatherSpace beefs up cloud-based requirements management

ALM: Best of breed vs. complete systems

Software development life cycle phases, iterations, explained step by step

The role of quality assurance (QA) pros in software security

Common software security risks and oversights

Why the quality assurance department should be involved in testing

How to develop secure applications

Secure software development practices 'not rocket science'

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

browser displaying a message thanking them for their input. However, when the browser encounters the portion of the page between the tags, it executes it as Web scripting code.

Now, you may ask what benefit lies in redirecting users from Mal's site to Acme's site. This lies in the trust relationship. True, Mal could simply place the script on his own site and bypass the cross-site part of the scenario. However, in this case, Mal's code would be handled by the browser's rules regarding untrusted sites. By using cross-site scripting, he effectively hijacks the trust relationship between Acme users and Acme intranet sites and forces the execution of his code according to the browser's rules for trusted sites.

Unfortunately, there is no simple fix for the cross-site scripting vulnerability. Web developers must be careful to filter out the tags and any other sensitive HTML elements from processed data before redisplaying it in the user's browser. As with many Web security issues, vigilant programming by security-conscious developers is the best solution.

About the Author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force.

This tip originally appeared on SearchSecurity.com

Rate this Tip
To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Software Design & Testing - Project Management

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy