Cross-Site Scripting: What is it, and how can you protect your site from becoming a victim?
This is the third session in the Technical: Propeller Hats Required Track at HighEdWeb. Presented by Paul Gilzow at the University of Missouri.
Cross-site scripting is an injection against your users, not your server. 88% of higher ed websites had vulnerabilities, many of these were cross-site scripting These programs trick users to going to the page owned by the attacker. Phishing. Identity theft. Collect emails for spamming. Platform independent. URI/JAR exploit — launch desktop application as you.
Why especially dangerous to Higher Ed? People trust higher ed sites. NC State study: Users unable to tell the difference between fake and real popups 63% of the time, even with warnings.
3 types:
- Non-persistant/reflective: Most common, only lasts and long as the user is there. Relies on social engineering.
- Persistant/stored: Data is stored externally, replayed every time people return. Very dangerous.
- Local: On user’s local machine. Less likely, but still dangerous.
Penetration of others’ websites: legal grey area. Illegal in some countries. We had a live demo where we hijacked NBC.com’s website.
What can we do to protect our applications? Be paranoid. Trust no one. Layers — don’t be the low-hanging fruit for hackers.
Techniques: Input filtering/blacklisting (can’t be your only defense). Input validation, even with dropdowns. Output encoding (for allowable characters, such as ampersands). Intrusion detection systems (e.g., PHPIDS). Tidy the output (e.g., HTML Purifier — only allows valid HTML, AntiSamy).
Glad you were able to make it to the presentation. Hope you enjoyed it and were able to get some valuable information from it.
Comment by Gilzow — October 10, 2008 @ 11:21 am