Home page logo
/

basics logo Security Basics mailing list archives

RE: XSS vulnerability
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Sat, 15 Dec 2007 07:31:19 -0500

Kelvin Heng

XSS is an input validation vulnerability that is best mitigated by
developers enforcing sanitizing of input data (filtering) and output data
(encoding).

I covered the Google XSS vulnerability on my blog while talking of XSS UTF-7
attacks
http://securesoftware.blogspot.com/2007/11/xss-utf-7-encoded-vulnerabilites-
and.html

Specifically, Google UTF-7 XSS has been dealt with here:
http://www.governmentsecurity.org/forum/lofiversion/index.php/t18105.html.

You can harden the web server to limit the attack surface to XSS. For IIS
look at URL Scan
http://www.microsoft.com/technet/security/tools/urlscan.mspx as well as
commercial tools that use IIS ASAPI filters
http://www.eeye.com/html/products/secureiis/

For apache look at mod security
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

On the server disabling TRACE methods is critical to prevent XSS toward the
web server(http://www.securityspace.com/smysecure/catid.html?id=11213)

For an holistic 101 defense of XSS I wrote this paper here, is old by still
valid today:
http://www.techweb.com/news/showArticle.jhtml?articleID=46200069

Another resource I suggest is OWASP.

Regards

Marco Morana
OWASP Cincinnati Chapter Leader
http://www.owasp.org/index.php/Cincinnati
http://securesoftware.blogspot.com


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Heng Kuo Kuang Kelvin NCS
Sent: Thursday, December 13, 2007 9:55 PM
To: security-basics () securityfocus com
Subject: XSS vulnerability

Hi,
I tried to google for XSS vulnerability, how to hack, how to prevent,
etc. However, I have no any meaningful information for me to work with.

Actually, I am supposed to address some XSS vulnerability on some of the
in-house application developed by 3rd party vendor. My web server is
already patched to its latest version, however the coding in the
application is subjected to XSS vulnerability, I would like to do
something about it rather than waiting for the application developer to
rewrite the application.

Can anyone of you help me by giving me some guidance?

1) What kind of pattern will I be able to pick up from my web server
logs to show that there is XSS attacks against my web server?
2) How can I prevent XSS from attacking my web servers [Apache, Sun One,
IIS 5 & 6] without having to change the application coding? 
3) How can I test for XSS vulnerability on my web servers?

Any information will be greatly appreciated. 

Thanks in advance

Regards,
Kelvin Heng


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault