|
|
Posted by C. (http://symcbean.blogspot.com/) on 01/24/08 13:34
On 24 Jan, 11:05, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> Hi all,
>
> Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
> output anything to the browser that originated from userinput, will an
> XSS attack be possible?
>
> I think not, but I found a lot of different ways to XSS related on the
> net (like DNS rebinding:http://en.wikipedia.org/wiki/DNS_rebinding).
> As far as I can see DNS-rebinding is useless as long as the JavaScript
> will not be executed.
>
> Is htmlentities enough?
> Should I also use the third parameter for htmlentities (charset)?
> What do you do to protect your sites against XSS?
>
> Regards,
> Erwin Moller
Your just eliminating one vector for the CSS attack. Admittedly its
the one most commonly exploited.
Not sure how you would leverage DNS rebinding as a CSS attack - but it
doesn't stop javascript from executing -
browser requests page from (redirected to bad server) site
js file referenced by page is loaded by browser from (redirected to
bad server) site, comes back with headers to say cache this for a
year.
(DNS changed to point to 'good' server)
Browser is now running the bad server's js file on the good servers
pages
Sure - its difficult (although far from impossible) to steal
somebodies Domain - but ICMP redirection? Competing DHCP?
Your proposal is a good start, but don't assume that it eliminates all
possible CSS attacks.
C.
Navigation:
[Reply to this message]
|