OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: 'cross site scripting' defenses
From: flynngnJMU.EDU
Date: Sun Feb 06 2000 - 17:32:15 CST

I was thinking of ways that the vulnerabilities could be taken
advantage of to use as examples. It seems that by following a
few minor design rules and one minor usage rule, a lot of the
problem can be contained until the core deficiencies in code
can be fixed. At least in sites which require a login. I base
these rules on the assumption that script can only be injected
into the first page of a web application and that there is only
a single entry point (i.e. web page) into the application. I also
assume that a user isn't tricked into performing an entire web
application transaction on a hostile site. Those rules are:

1) Don't include anything on the login screen except fields
   for username and password. Doing this would seem to help
   insure that if script is injected, the login will fail.

2) Don't return any user supplied data to the browser on a
   failed login. This is so if some script code is injected into
   the username and password fields, it won't be returned to
   the browser when the corrupted authentication information
   causes the login to fail.

3) Encourage users to "logout" of a web application before browsing
   elsewhere.

Am I thinking right?

Gary Flynn
Security Engineer
James Madison University