tyuret
asked on
XSS prevention
Let's say I have a web site and the users can only see the transaction of the users from their company (5 to 10 users)
It means that the site is a closed system and there are a lot of companies using the site with limited controlled users.
In this case do I have to worry about Cross-Site Scripting (XSS) Vulnerabilities? Is it a problem if the site is open to XSS vulnerability?
Thank you.
It means that the site is a closed system and there are a lot of companies using the site with limited controlled users.
In this case do I have to worry about Cross-Site Scripting (XSS) Vulnerabilities? Is it a problem if the site is open to XSS vulnerability?
Thank you.
ASKER
As far as I read from
http://css-tricks.com/what-is-xss/
xss is used for stealing session data of other users.
But how it can be possible in a system I described since the attacker and the other users will never have an open interaction?
http://css-tricks.com/what-is-xss/
xss is used for stealing session data of other users.
But how it can be possible in a system I described since the attacker and the other users will never have an open interaction?
Xss can do much more than steal cookies. Here is a site describing just a few more things:
http://drupalscout.com/knowledge-base/anything-you-can-do-xss-can-do-better
You have to protect against xss
http://drupalscout.com/knowledge-base/anything-you-can-do-xss-can-do-better
You have to protect against xss
ASKER
I have checked the video but for a successful attack still needs interaction between different users.
In the video the admin logs in and view the related post (an interaction!)
In the system I am imagining the admin can only view the posts of the company (the closed subsystem)
To do so the admin should login using the username of any user of that company with a super psw (a psw exists in server side script and valid for any username)
Therefore I still think that I don't need an XSS check.
What you say? Thank you very much.
In the video the admin logs in and view the related post (an interaction!)
In the system I am imagining the admin can only view the posts of the company (the closed subsystem)
To do so the admin should login using the username of any user of that company with a super psw (a psw exists in server side script and valid for any username)
Therefore I still think that I don't need an XSS check.
What you say? Thank you very much.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok that's right, so is there a way to prevent this type of attack in .htaccess?
Thank you.
Thank you.
You have to have some sort of backend process to strip script tags out of all input/requests. Check out the owasp cheat sheet:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
The only other consideration is xss that can be injected into the website urls..something like this:
"http://www.yoursite.com/index.html?name=george"