Thursday, 26 May 2011

XSS (Part 1) - Reconnaissance is rarely wasted

With the release of Firefox 4.0 there has been a giant step forward in the ability to defend against XSS attacks.  Whilst I will discuss this in more detail in a future post, I thought it was interesting to take another look at the perceived wisdom for mitigating XSS attacks that exists on the Internet today.

So if I was to put on the shoes of someone who was taking their first steps at finding a solution to XSS in my web application where would I start?  Google, obviously.  And what is the first hit in Google, Wikipedia, obviously.

So mitigation numero uno for XSS in Wikipedia is "Contextual Output Encoding/Escaping of String Input".  The other recommendations include input validation and then some fairly limited advice involving cookies, disabling scripts and emerging technologies.

It seems sensible to verify some of these mitigation suggestions via other sources.  Back to Google.  The next relevant result is from where they ask how vendors should protect themselves; "This is a simple answer. Never trust user input and always filter metacharacters."

Next up is OWASP, which I believe is considered by many, and quite rightly so, to be the defacto standard source of web application security information.  They have a cheat sheet that recommends output encoding (albeit in several different ways depending on context) and input validation.

Although there are a lot more results on Google, to cover our asses be on the safe side we should look beyond Google as well.  Where else can we look? Well what about books?  Off to Amazon.  Topping the list is "XSS Attacks: Cross Site Scripting Exploits and Defense" and it is authored by some fairly well known security folk so that gives us some confidence.  Their advice boils down to input validation and output encoding.  I have to say I think it was a bold move to use the word 'Defense' in the title of the book and then dedicate a whopping 14 pages out of 400 to 'Defense', only half of which contain advice for web application developers.  It doesn't really fill me confidence that they acknowledge it's a difficult problem and then only manage to squeeze out 7 pages discussing solutions.

Another favourite source of web application security information is "The Web Application Hacker's Handbook".  That too suggests input validation and output encoding, in no less than 5 pages.

Clearly you could spend a lot more time looking at solutions, but what I have described represents the basic standard line you find most everywhere.  There is of course some really poor advice out there as well, but that comes as no surprise.

It might seem that the purpose of this post is to say the input validation and output encoding mitigate XSS; but I actually disagree with that.

To me, saying input validation and output encoding is the solution to XSS is like saying feeding people is the solution to world hunger.  Of course feeding people would stop them from being hungry, but that's not the real problem, the real problem is how do you go from a world full of hungry people to food in peoples' mouths.  The problem is one of organisation and process.

This will be the topic of my next post.