Google Brother Up

2009/04/06

Cross-Site Scripting & Remediation Action

Cross-Site Scripting
Cross-site scripting is a term used to describe problems which arise when maliciously crafted user data causes a web application to redirect an unsuspecting web browser to an undesired site. It was possible to send strings with special HTML characters ( < > " ' ) to your web application, and see them rendered in the response. Since these characters were not encoded by the web application, it may be possible to inject HTML scripting code into the rendered page. The injections can occur in your HTML body, Title, Scripting, or even commented out portions of the document. Note: Due to the potential negative impact on this web server's resources that could result from attacking a large number of cross-site scripting attack vectors, TrustKeeper abandons this test after it has found at least three instances where user input is not being properly sanitized. Therefore, it is possible that the reported findings associated with this vulnerability are only a subset of all possible attack vectors.

Remediation Action
This is a generic warning based on a test that indicates that your web application may not validate user-provided input, such as that provided by a form. Review your web application to ensure that user data is checked on the server side of the application (NOT in the web browser) for proper length and character content. It is recommended that a white-list of acceptable characters be used, with all other characters being HTML encoded prior to being sent in response to the client. Review the "Cross-Site Scripting", "Data Validation", and "Review Code for Cross-site scripting" pages on OWASP.org (see the reference links in this finding).

256 unique visitors

No comments:

Drop Down List

1. http://www.janetsystems.co.uk/Articles/NetArticles/tabid/74/itemid/161/modid/449/Default.aspx