I do not know asp, so I cannot comment on the security of your code, or any
of the examples given. But I'll try to help some.

"Cross-site scripting (XSS) is a threat where the attacker can inject code
into a Web application which gets executed at the visitor s site. This is
possible whenever the input of the user gets displayed on the Web site
again, for example in guest books."

If the scripting is printed into a file, or is staticly put onto a webpage
then it is not cross site scripting, but instead script injection. There is
a line between the two and many people mistake them. It would be kind of
funny if all defacements were classified as cross site scripting.

"But it s not the best way, because you need to think of it every time you
read some request. The one and only place where you forget to use this
functions might be the door for an attacker. The other major disadvantage is
that this requires a system for code sharing to ensure that every Web
application uses current functions."

I would also say that another negitive side of this would be that you don't
always need to filter those characters. Sometimes filtering < > will do
little good, as you discribed in this example:

str=Welcome! );location.href= http://www.patrice.ch/ ;//

Your filtering would not stop this. Some programmers may overlook this and
just send all printed data through the < > filter.

Two more common pitfalls I can think of would be:

Encoding:
things like %xx can evade string filters. Convert these to ascii before
filtering strings. Other encoding techniques may be used.

Unknown places where scripts can execute:
some people do not know all the possible places one can execute scripting.
You may filter " but <img src="$userinput"> is still vulnerable to script
execution.

Good luck with your asp.

--
http://b0iler.eyeonsecurity.net
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]