November 08, 2006
INXSS
My current headache is cross-site scripting, or XSS.
Cross-site scripting is an unforseen product of the combination of browser programmability and communally-updated websites. Javascript and XMLHttpRequest let your browser do all sorts of nifty things; community web sites let people build really nifty things; together they let bad people steal your ID.
Anyone can create a web page that will read your cookies, but browsers aren't stupid, and they will only cough up the cookies for that web site. Which was not a problem in the past, because before anyone could do anything untowards they had to take control of the website by some other means.
But if you have a community site where people can insert unfiltered HTML, that lets other people steal your cookies for that site. Badness.
The approaches to this problem seem to be threefold:
1. The listen-to-nanny approach, as typified by CERT: Tell people to turn off Javascript, and not to browse unknown web sites, especially after dark. 2. The patch-it-and-hope approach: Scrub the HTML for any untowards Javascript. If your site can restrict what users put up on their pages, you may be able to eliminate Javascript altogether - though even then, you might get tripped up the way MySpace was. 3. The keep-the-doors-and-windows-locked approach: Don't use cookies that give users global access. I think Blogger may be doing this, and that's why you keep having to log in to comment.You have to do some of 2 in any case. If you don't scrub comments of bad HTML, you will find your page layouts corrupted in very short order. 3 looks likely to be the most robust, but at the cost of user functionality. Anyone know of any in-depth resources on this? Or are people keeping their solutions close to their chests?
Posted by: Pixy Misa at 09:09 PM | Comments (41) | Add Comment | Trackbacks (Suck)
Posted by: Kristopher at November 09, 2006 02:00 AM (giy+l)
2
<a href="http://www.roulettesystemwinner.com/roulette_sniper_review.php">Roulette Sniper Review</a>
<a href="http://www.roulettesystemwinner.com/roulette_advantage_review.php">roulette advantage review</a>
<a href="http://www.roulettesystemwinner.com/reverse_roulette_system.php">reverse roulette review</a>
<a href="http://www.roulettesystemwinner.com/online_roulette_profits_review.php">online roulette profits review</a>
<a href="http://www.roulettesystemwinner.com/roulette_killer_review.php">roulette killer review</a>
<a href="http://www.poker-mastery.com/blackhat_poker_review.html">blackhat poker review</a>
<a href="http://www.poker-mastery.com/sit-n-go-pro_poker_review.html">sit-n-go pro poker review</a>
<a href="http://www.poker-mastery.com/online_poker_review.html">online poker review</a>
<a href="http://www.poker-mastery.com/texas_holdem_poker_review.html">texas holdem poker review</a>
<a href="http://www.poker-mastery.com/poker_edge_review.html">poker edge review</a>
<a href="http://www.poker-mastery.com/poker_squatting_review.html">poker squatting review</a>
<a href="http://www.poker-mastery.com/untold_secrets_poker_review.html">untold secrets poker review</a>
<a href="http://www.poker-mastery.com/micon_secrets_review.html">micon secrets review</a>
<a href="http://www.blackjack-collection.net/blackjack_millionaire_review.html">blackjack millionaire review</a>
<a href="http://www.blackjack-collection.net/beat_online_blackjack_review.html">beat online blackjack review</a>
<a href="http://www.blackjack-collection.net/secret_of_blackjack_review.html">secret of blackjack review</a>
<a href="http://www.blackjack-collection.net/blackjack_mastery_review.html">blackjack mastery review</a>
<a href="http://www.blackjack-collection.net/complete_blackjack_review.html">complete blackjack review</a>
<a href="http://www.blackjack-collection.net/purplechip_blackjack_review.html">purple chip blackjack review</a>
<a href="http://www.winninghorseracingbets.com/smart_bet_wizard_review.php">smart bet wizard review</a>
<a href="http://www.winninghorseracingbets.com/sure2profit_multibet_review.php">sure2profit multibet review</a>
<a href="http://www.winninghorseracingbets.com/cracking_betfair_review.php">cracking betfair review</a>
<a href="http://www.winninghorseracingbets.com/my_mathematical_formula_review.php">my mathematical formula review</a>
<a href="http://www.winninghorseracingbets.com/easy_trader_pro_review.php">easy trader pro review</a>
<a href="http://www.winninghorseracingbets.com/the_legacy_review.php">the legacy review</a>
<a href="http://www.winninghorseracingbets.com/go_fibonacci_review.php">go fibonacci review</a>
<a href="http://www.mymovie-downloads.com/net_movie_downloads_review.html">net movie downloads review</a>
<a href="http://www.mymovie-downloads.com/unlimited_download_center_review.html">unlimited download center review</a>
<a href="http://www.mymovie-downloads.com/the_movie_downloads_review.html">the movie downloads review</a>
<a href="http://www.mymovie-downloads.com/fast_tv_downloads_review.html">fast tv downloads review</a>
<a href="http://www.mymovie-downloads.com/shared_movies_review.html">shared movies review</a>
<a href="http://www.mymovie-downloads.com/cinema_download_review.html">cinema download review</a>
<a href="http://www.mymovie-downloads.com/movie_download_world_review.html">movie download world review</a>
<a href="http://www.iphone-shaq.com/iphone_nova_review.html">iphone nova review</a>
<a href="http://www.iphone-shaq.com/iphone_unlimited_review.html">iphone unlimited review</a>
<a href="http://www.iphone-shaq.com/iphone_download_pro_review.html">iphone download pro review</a>
<a href="http://www.iphone-shaq.com/web_iphone_downloads_review.html">web iphone downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_magic_review.html">iphone magic review</a>
<a href="http://www.iphone-shaq.com/net_iphone_downloads_review.html">net iphone downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_craz_downloads_review.html">iphone craz downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_explosion_downloads_review.html">iphone explosion downloads review</a>
<a href="http://www.iphone-shaq.com/fill_your_iphone_downloads_review.html">fill your iphone downloads review</a>
<a href="http://www.forexmarkettrader.net/5_emas_forex_trading_system_review.html">5emas forex trading system review</a>
<a href="http://www.forexmarkettrader.net/trend_forex_trading_system_review.html">trend forex trading system review</a>
<a href="http://www.forexmarkettrader.net/expert_forex_review.html">expert forex review</a>
<a href="http://www.forexmarkettrader.net/forex_trading_machine_review.html">forex trading machine review</a>
<a href="http://www.forexmarkettrader.net/forex_uncovered_review.html">forex uncovered review</a>
<a href="http://www.forexmarkettrader.net/g7_forex_trading_system_review.html">g7 forex trading system review</a>
<a href="http://www.forexmarkettrader.net/forex_killer_review.html">forex killer review</a>
<a href="http://www.warcraft-vault.com/joanas_1-70_horde_guide_review.html">joanas 1-70 horde guide review</a>
<a href="http://www.warcraft-vault.com/brian_kopp_alliance_guide_review.html">brian kopp alliance guide review</a>
<a href="http://www.warcraft-vault.com/warcraft_gold_secrets_review.html">warcraft gold secrets review</a>
<a href="http://www.warcraft-vault.com/warcraft_riches_review.html">warcraft riches review</a>
<a href="http://www.warcraft-vault.com/valkors_gold_guide_review.html">valkors gold guide review</a>
<a href="http://www.the-golf-house.com/simple_golf_swing_review.html">simple golf swing review</a>
<a href="http://www.the-golf-house.com/the_golf_swing_test_review.html">the golf swing test review</a>
<a href="http://www.the-golf-house.com/instant_golf_lesson_review.html">instant golf lesson review</a>
<a href="http://www.the-golf-house.com/instant_slice_cure_review.html">instant slice cure review</a>
<a href="http://www.the-golf-house.com/golf_swing_eureka_review.html">golf swing eureka review</a>
<a href="http://www.roulettesystemwinner.com/roulette_advantage_review.php">roulette advantage review</a>
<a href="http://www.roulettesystemwinner.com/reverse_roulette_system.php">reverse roulette review</a>
<a href="http://www.roulettesystemwinner.com/online_roulette_profits_review.php">online roulette profits review</a>
<a href="http://www.roulettesystemwinner.com/roulette_killer_review.php">roulette killer review</a>
<a href="http://www.poker-mastery.com/blackhat_poker_review.html">blackhat poker review</a>
<a href="http://www.poker-mastery.com/sit-n-go-pro_poker_review.html">sit-n-go pro poker review</a>
<a href="http://www.poker-mastery.com/online_poker_review.html">online poker review</a>
<a href="http://www.poker-mastery.com/texas_holdem_poker_review.html">texas holdem poker review</a>
<a href="http://www.poker-mastery.com/poker_edge_review.html">poker edge review</a>
<a href="http://www.poker-mastery.com/poker_squatting_review.html">poker squatting review</a>
<a href="http://www.poker-mastery.com/untold_secrets_poker_review.html">untold secrets poker review</a>
<a href="http://www.poker-mastery.com/micon_secrets_review.html">micon secrets review</a>
<a href="http://www.blackjack-collection.net/blackjack_millionaire_review.html">blackjack millionaire review</a>
<a href="http://www.blackjack-collection.net/beat_online_blackjack_review.html">beat online blackjack review</a>
<a href="http://www.blackjack-collection.net/secret_of_blackjack_review.html">secret of blackjack review</a>
<a href="http://www.blackjack-collection.net/blackjack_mastery_review.html">blackjack mastery review</a>
<a href="http://www.blackjack-collection.net/complete_blackjack_review.html">complete blackjack review</a>
<a href="http://www.blackjack-collection.net/purplechip_blackjack_review.html">purple chip blackjack review</a>
<a href="http://www.winninghorseracingbets.com/smart_bet_wizard_review.php">smart bet wizard review</a>
<a href="http://www.winninghorseracingbets.com/sure2profit_multibet_review.php">sure2profit multibet review</a>
<a href="http://www.winninghorseracingbets.com/cracking_betfair_review.php">cracking betfair review</a>
<a href="http://www.winninghorseracingbets.com/my_mathematical_formula_review.php">my mathematical formula review</a>
<a href="http://www.winninghorseracingbets.com/easy_trader_pro_review.php">easy trader pro review</a>
<a href="http://www.winninghorseracingbets.com/the_legacy_review.php">the legacy review</a>
<a href="http://www.winninghorseracingbets.com/go_fibonacci_review.php">go fibonacci review</a>
<a href="http://www.mymovie-downloads.com/net_movie_downloads_review.html">net movie downloads review</a>
<a href="http://www.mymovie-downloads.com/unlimited_download_center_review.html">unlimited download center review</a>
<a href="http://www.mymovie-downloads.com/the_movie_downloads_review.html">the movie downloads review</a>
<a href="http://www.mymovie-downloads.com/fast_tv_downloads_review.html">fast tv downloads review</a>
<a href="http://www.mymovie-downloads.com/shared_movies_review.html">shared movies review</a>
<a href="http://www.mymovie-downloads.com/cinema_download_review.html">cinema download review</a>
<a href="http://www.mymovie-downloads.com/movie_download_world_review.html">movie download world review</a>
<a href="http://www.iphone-shaq.com/iphone_nova_review.html">iphone nova review</a>
<a href="http://www.iphone-shaq.com/iphone_unlimited_review.html">iphone unlimited review</a>
<a href="http://www.iphone-shaq.com/iphone_download_pro_review.html">iphone download pro review</a>
<a href="http://www.iphone-shaq.com/web_iphone_downloads_review.html">web iphone downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_magic_review.html">iphone magic review</a>
<a href="http://www.iphone-shaq.com/net_iphone_downloads_review.html">net iphone downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_craz_downloads_review.html">iphone craz downloads review</a>
<a href="http://www.iphone-shaq.com/iphone_explosion_downloads_review.html">iphone explosion downloads review</a>
<a href="http://www.iphone-shaq.com/fill_your_iphone_downloads_review.html">fill your iphone downloads review</a>
<a href="http://www.forexmarkettrader.net/5_emas_forex_trading_system_review.html">5emas forex trading system review</a>
<a href="http://www.forexmarkettrader.net/trend_forex_trading_system_review.html">trend forex trading system review</a>
<a href="http://www.forexmarkettrader.net/expert_forex_review.html">expert forex review</a>
<a href="http://www.forexmarkettrader.net/forex_trading_machine_review.html">forex trading machine review</a>
<a href="http://www.forexmarkettrader.net/forex_uncovered_review.html">forex uncovered review</a>
<a href="http://www.forexmarkettrader.net/g7_forex_trading_system_review.html">g7 forex trading system review</a>
<a href="http://www.forexmarkettrader.net/forex_killer_review.html">forex killer review</a>
<a href="http://www.warcraft-vault.com/joanas_1-70_horde_guide_review.html">joanas 1-70 horde guide review</a>
<a href="http://www.warcraft-vault.com/brian_kopp_alliance_guide_review.html">brian kopp alliance guide review</a>
<a href="http://www.warcraft-vault.com/warcraft_gold_secrets_review.html">warcraft gold secrets review</a>
<a href="http://www.warcraft-vault.com/warcraft_riches_review.html">warcraft riches review</a>
<a href="http://www.warcraft-vault.com/valkors_gold_guide_review.html">valkors gold guide review</a>
<a href="http://www.the-golf-house.com/simple_golf_swing_review.html">simple golf swing review</a>
<a href="http://www.the-golf-house.com/the_golf_swing_test_review.html">the golf swing test review</a>
<a href="http://www.the-golf-house.com/instant_golf_lesson_review.html">instant golf lesson review</a>
<a href="http://www.the-golf-house.com/instant_slice_cure_review.html">instant slice cure review</a>
<a href="http://www.the-golf-house.com/golf_swing_eureka_review.html">golf swing eureka review</a>
Posted by: Zoran at March 19, 2008 03:16 PM (c2z1U)
3
Great post.
heated car seat
review
top lcd hdtv
baby care
weight loss tips
cell phone
blog
health insurance
car seat cushion
journal
heated car seat
review
top lcd hdtv
baby care
weight loss tips
cell phone
blog
health insurance
car seat cushion
journal
Posted by: health insurance tips at December 19, 2010 06:59 PM (7jgOI)
Processing 0.0, elapsed 0.0114 seconds.
16 queries taking 0.0077 seconds, 25 records returned.
Page size 16 kb.
Powered by Minx 0.8 beta.