XSS Vulnerabilities Reviewed and Re-Classified 142
An anonymous reader writes "Security Analysts at NeoSmart Technologies have revisited the now-famous XSS-type security vulnerabilities and attempted to re-classify their status as a security vulnerability. The argument is that XSS vulnerabilities are not a mark of bad or insecure code but rather a nasty but unavoidable risk that's a part of JavaScript - and that even then, XSS 'vulnerable' sites are no less dangerous or vulnerable at heart." Are they unavoidable, or just a symptom of lazy coding, or both?
A hole is a hole (Score:5, Insightful)
User Content (Score:5, Insightful)
Even disabling Javascript content all together in websites, with user content, other methods can be used to steal cookies/sessions/user credentials. Flash attacks [cgisecurity.com] are becoming more and more common, and are near impossible to protect against. Users demand dynamic user-driven content, the companies comply, I'm just surprised this hasn't been more prevalent.
--Joel
Ajax Translator [parish.ath.cx]
Crazy (Score:5, Insightful)
Er, no. XSS attacks are caused by sloppy web application developers that fail to encode user-supplied data for output in the appropriate way, and by sloppy web developers that trust that whatever was submitted by a user was submitted by the user intentionally.
Both of these factors have technical solutions that are 100% effective and have been well-known for years. The former has nothing specifically to do with JavaScript anyway, it's just that the holes are most often used to sneak JavaScript onto a page.
This article is a total crock of shit. For instance when it says:
It's no more dangerous in terms of security for the client machine. If Hotmail has a security hole, it doesn't make it more likely that somebody will get onto your computer. But they can still read and delete your email, and send email from your account.
Actually, I take that back, it is more dangerous in terms of security for the client machine. With tools like the NoScript Firefox extension, and the similar mechanisms other browsers have, many people disable JavaScript for the random websites found with Google, but enable them for websites they trust, like Hotmail. So if Hotmail has an XSS vulnerability, they will be executing malicious JavaScript even though they only intended to allow trusted JavaScript to be executed.
This author seems to have no real clue about web security. I guess this is why Slashdot shouldn't link to random weblog entries.
XSS - a bug... sometimes (Score:4, Insightful)
First language (Score:5, Insightful)
I wouldn't say lazy, but naive. Lots of people now cut their teeth at programming with HTML/Javascript and a simple server-side scripting language, like PHP or ASP. For a reason unknown, these simple languages (PHP especially [develix.com]) try to create a blanket so thick around the coder that most of them don't even think about validating input.
Crap like auto-string escaping, crap like automagic global variables, crap like easy access to eval(), auto variable casting, these help when learning to program so you can concentrate on the task at hand, but become a big fat no-no when deploying stuff in a networked environment.
Going back to my first programs in BASIC/C/C++, they were probably filled with holes; but for sure they weren't available for the world to hack.
They are flat wrong (Score:5, Insightful)
XSS has always been bullshit (Score:3, Insightful)
Can't understand (Score:3, Insightful)
Bulletin Boards have been effective against these issues for ages with bbcodes that use [] instead of > < . Also wikipedia has excellent formatting features without letting users ever use an html tag by themselves.
By simply turning >< into ><before displaying content that was influenced by user input you get rid of every single XSS risk. If users complaint about it being too limited they should get their own site instead of depenging on blog/forum/ whatever other thing.
Huh? (Score:3, Insightful)
Maybe the people writing web apps need better training? No matter how safe you make the language, there will be people using it who are inexperienced, unfamiliar, or otherwise uneducated about the nuances of paranoid programming. It's very narrow-sighted to blame the tool.
Most at risk (Score:2, Insightful)
Banks & things like that are insured against loss, Federally in the case of banks.
Advertisers who pay for people to click things on the other hand, are not.
I'd bet CowboyNeals left nut there's thousands of dollars a day being scammed from advertisers through the use of XSS clicking adverts in the background, or changing the target address of an add banner.
Complete Twit (Score:1, Insightful)
Probably a 15 year old kid. Its a fucking wordpress site w/ the default theme. I mean, come on, seriously.
Re:This guy doesn't know what he is talking about! (Score:3, Insightful)
I don't feel particulay sorry for fools who fall for phishing scams
I sure wouldn't want to bank with a company that called its customers fools when the phishing scam was being run from the bank's own website.
Re:Don't allow the GET method except for index... (Score:3, Insightful)