Thursday, November 09
My current headache is cross-site scripting, or XSS.
Cross-site scripting is an unforseen product of the combination of browser programmability and communally-updated websites. Javascript and XMLHttpRequest let your browser do all sorts of nifty things; community web sites let people build really nifty things; together they let bad people steal your ID.
Anyone can create a web page that will read your cookies, but browsers aren't stupid, and they will only cough up the cookies for that web site. Which was not a problem in the past, because before anyone could do anything untowards they had to take control of the website by some other means.
But if you have a community site where people can insert unfiltered HTML, that lets other people steal your cookies for that site. Badness.
The approaches to this problem seem to be threefold:
1. The listen-to-nanny approach, as typified by CERT: Tell people to turn off Javascript, and not to browse unknown web sites, especially after dark.You have to do some of 2 in any case. If you don't scrub comments of bad HTML, you will find your page layouts corrupted in very short order. 3 looks likely to be the most robust, but at the cost of user functionality.2. The patch-it-and-hope approach: Scrub the HTML for any untowards Javascript. If your site can restrict what users put up on their pages, you may be able to eliminate Javascript altogether - though even then, you might get tripped up the way MySpace was.
3. The keep-the-doors-and-windows-locked approach: Don't use cookies that give users global access. I think Blogger may be doing this, and that's why you keep having to log in to comment.
Anyone know of any in-depth resources on this? Or are people keeping their solutions close to their chests?
Posted by: Pixy Misa at
07:09 AM
| Comments (1)
| Add Comment
| Trackbacks (Suck)
Post contains 299 words, total size 2 kb.
56 queries taking 0.4371 seconds, 338 records returned.
Powered by Minx 1.1.6c-pink.