It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. Use an application firewall that can detect attacks against this weakness. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. This is not a complete solution, since HttpOnly is not supported by all browsers. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use okie. To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly.
With Struts, write all data from form beans with the bean's filter attribute set to true. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. If available, use structured mechanisms that automatically enforce the separation between data and code. Then, these modified values would be submitted to the server. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Remember that such inputs may be obtained indirectly through API calls.
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses. Use the XSS Cheat Sheet or automated test-generation tools to help launch a wide variety of attacks against your web application. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved. Many modern techniques use data flow analysis to minimize the number of false positives. Use automated static analysis tools that target this type of weakness. However, this would cause confusion with "Cascading Style Sheets," so usage of this acronym has declined significantly. In the early years after initial discovery of XSS, "CSS" was a commonly-used acronym. Used as a synonym of stored (Type 2) XSS. A common abbreviation for Cross-Site Scripting. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component.ĬWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
0 kommentar(er)
