XSS bestiary

Wednesday 14 March 2007This is over 16 years old. Be careful.

Protecting a web site against cross-site scripting attacks can be a daunting challenge. Roughly speaking, you have to ensure that no executable script can be inserted into your pages by your users. But browsers are famously accepting of mis-formed HTML. Figuring out what strings of text might contain executable script requires understanding all of the variety of interpretations browser will bestow on crappy HTML. If you assume a pristine universe of correctly-formed HTML, you are opening yourself up to attacks which exploit oddball edge cases.

RSnake (Robert Hansen) has compiled a list of all sorts of strings which could be interpreted as executable script by various browsers: XSS Cheat Sheet. It’s a fascinating look at the alternative representations for familiar constructs (http scheme names can have tabs in them?), and a sobering demonstration of the ingenuity and technical depth that bad guys can bring to bear on cracking your site.

The ha.ckers blog describes new exploits and vulnerabilities as they are discovered, and can also be a useful source of information.


Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.