Understanding XSS and How to Prevent It

There was recently a completely stupid XSS story covered on Slashdot whose main argument is quoted below.

XSS vulnerabilities are not a mark of bad or insecure code but rather 
a nasty but unavoidable risk that's a part of JavaScript - and that 
even then, XSS 'vulnerable' sites are no less dangerous or vulnerable 
at heart.

Fortunately, this is completely bullshit. We will later discuss what kind of countermeasures can be taken, but first of all make sure you know what XSS is. For that purpose I suggest to read the XSS FAQ.

Countermeasures

Now that you know what your reading about, we can dive further into the technical details of preventing XSS vulnerabilities. A often heard but false advise is to simply replace all <> with their named counterpart <>. This however fails to prevent some Javascript+CSS based attacks such as the example below.

background:url(javascript:alert(document.cookie));

As an other advice let me say that you shouldn’t rely on blacklists, that is filtering potential dangerous stuff, instead use whitelists and allow only a well defined set of tags + attributes. This is especially important because IE will even interpret javascript with embedded termination chars.

<scrx00ipt>alert("Hello World")</sx00cript>

Hope you realize that you will never catch all the possible cases because there are simply too much hacks and tricks to bypass your filter. Therefore use whitelists. If done right it’s even better to use a completely HTML unrelated template language such as bbcode which are often found in forums and wikis.

It’s serious

So as you have seen, it is entirely possible to prevent Cross Site Scripting. It’s even easier because most languages supply such functionality, for example in PHP there is htmlentities() available. Therefore, it basically comes down to the laziness of the programmer.

To see what can happen because of XSS vulnerabilities see for example the myspace worm.

A word about JavaScript

Nowadays I often read things like “JavaScript SUCKS!!!". While this is partially true, JavaScript also has a few elegant ideas. At some point you start to appreciate the prototype vs. class based inheritance, the fact that functions are also objects and it’s general functionalism. See for example this Usenet post from Richard Cornford to myself and the many other truly great resources in the comp.lang.javascript FAQ for some advanced JavaScript code. Unfortunately JavaScript is also used and therefore associated with popup adds and other disturbing things.

Marc