So if I was to put on the shoes of someone who was taking their first steps at finding a solution to XSS in my web application where would I start? Google, obviously. And what is the first hit in Google, Wikipedia, obviously.
So mitigation numero uno for XSS in Wikipedia is "Contextual Output Encoding/Escaping of String Input". The other recommendations include input validation and then some fairly limited advice involving cookies, disabling scripts and emerging technologies.
It seems sensible to verify some of these mitigation suggestions via other sources. Back to Google. The next relevant result is from www.cgisecurity.com where they ask how vendors should protect themselves; "This is a simple answer. Never trust user input and always filter metacharacters."
Next up is OWASP, which I believe is considered by many, and quite rightly so, to be the defacto standard source of web application security information. They have a cheat sheet that recommends output encoding (albeit in several different ways depending on context) and input validation.
Although there are a lot more results on Google, to
Another favourite source of web application security information is "The Web Application Hacker's Handbook". That too suggests input validation and output encoding, in no less than 5 pages.
Clearly you could spend a lot more time looking at solutions, but what I have described represents the basic standard line you find most everywhere. There is of course some really poor advice out there as well, but that comes as no surprise.
It might seem that the purpose of this post is to say the input validation and output encoding mitigate XSS; but I actually disagree with that.
To me, saying input validation and output encoding is the solution to XSS is like saying feeding people is the solution to world hunger. Of course feeding people would stop them from being hungry, but that's not the real problem, the real problem is how do you go from a world full of hungry people to food in peoples' mouths. The problem is one of organisation and process.
This will be the topic of my next post.