Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

security cross site scripting request JavaScript file

Posted on 2012-09-16
7
Medium Priority
?
252 Views
Last Modified: 2012-11-17
What is the appropriate defense for this type of attack?

http://www.somewhere.com/scripts/some.js\"><script>alert('payload');</script>

Open in new window


Something like the above anyway... going off memory.

Admittedly, I'm not very knowledgeable of web security. I typically deal with most of the issues through proper detainting of variables etc.. This one has me confused as to how to defend against it except through a 3rd party application. This is an example from an auditor who asked us to turn off ModSecurity and Trustwave WebDefend before running some of the attacks.
0
Comment
Question by:kindaprog
7 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 38403818
http://amix.dk/blog/post/19432

But basically - don't trust any posted data, always process it as shown by the examples in the link.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38403962
always validate user input.  Though I wonder why the auditor wanted you to turn off your security protocols? Maybe just to check the underlying code.
0
 
LVL 25

Expert Comment

by:madunix
ID: 38404849
I highly recommend that you read the Cross-Site Scripting paper available from the OWASP website at http://www.owasp.org/index.php/Cross_Site_Scripting

You should also have a look at the OWASP Filters Project, which provides solutions for J2EE and PHP. http://www.owasp.org/index.php/Category:OWASP_Filters_Project

Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 

Author Comment

by:kindaprog
ID: 38407731
So how would you validate a resource request like in the example? Am I missing something?
0
 
LVL 58

Expert Comment

by:Gary
ID: 38407749
By stripping all things like <>{[]} etc - see my first link
0
 

Author Comment

by:kindaprog
ID: 38411909
I apologize, but where would you strip this? It is not a parameter passed into any of my scripts. It's a request made from the browser directly to the server for an additional resource. correct? How can I programmatically defend against this?
0
 
LVL 58

Accepted Solution

by:
Gary earned 2000 total points
ID: 38411953
On the server when you are processing the posted data
PHP inbuilt functions
http://php.net/manual/en/filter.filters.sanitize.php
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question