Thanks. Regards, SaeedAhmed Subedar, BSLI 91-022-39961356 -----Original Message----- From: Mark Montague [mailto:mark@xxxxxxxxxxx] Sent: Thursday, December 15, 2011 8:11 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: Cross-site scripting over ssl On December 15, 2011 6:31 , Saeedahmed Subedar <Saeedahmed.Subedar@xxxxxxxxxxxxxxxx> wrote: > > I have a web application on Apache Http Server over SSL. Isn't > application level cross-site scripting taken care of since requests > and responses are encrypted in SSL? > No. From https://www.owasp.org/index.php/XSS > Cross-Site Scripting attacks are a type of injection problem, in which > malicious scripts are injected into the otherwise benign and trusted > web sites. Cross-site scripting (XSS) attacks occur when an attacker > uses a web application to send malicious code, generally in the form > of a browser side script, to a different end user. [...] The end > user's browser has no way to know that the script should not be > trusted, and will execute the script. Because it thinks the script > came from a trusted source, the malicious script can access any > cookies, session tokens, or other sensitive information retained by > your browser and used with that site. As an example, let's say you are running a blog on your web server, and that the blog fails to properly sanitize comments left by readers before storing them in its database. A malicious user could then provide JavaScript code in a comment they leave; this JavaScript would be run in the web browser of any user who viewed the comment, performing some bad action that is advantageous to the attacker -- for example, serving ads for black-market pharmaceuticals, or sending the user to a malicious web site that attempts to take over the user's computer using vulnerabilities in Flash, Adobe PDF Reader, or other web browser plugins. Using SSL between the malicious user's computer and the web server running the blog will not stop the malicious user from providing JavaScript code in their comment. Using SSL between the web server an other user's computers will not stop the malicious JavaScript code in the comment from being served to the user, nor will it stop the malicious JavaScript from being executed by the user's web browser. In short, encryption is completely irrelevant to cross-site scripting attacks. To protect against cross-site scripting, you need to make sure that any input provided by any user can never be executed in any situation. You need to filter out, disallow, or render harmless from user-provided content any JavaScript, HTML, CSS, and anything else that web browsers can interpret and act upon. The main ways of doing this are by encoding user input so that it is not interpreted by web broswers -- for example, replacing '<' with '<' in user conent that appears in places where it could be interpreted as HTML (this is not sufficient by itself, though, many more things would need to be encoded too) -- or stripping out things that could be executed (for example, if you are asking the user to provide a numeric date, then remove from the input anything that is not a number, a slash, or a dash). For a proper list of what you really need to do to protect against cross-site scripting, see https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet I hope this helps. -- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx The information contained in this electronic communication is intended solely for the individual(s) or entity to which it is addressed. It may contain proprietary, confidential and/or legally privileged information. Any review, retransmission, dissemination, printing, copying or other use of, or taking any action in reliance on the contents of this information by person(s) or entities other than the intended recipient is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us by responding to this email or telephone and immediately and permanently delete all copies of this message and any attachments from your system(s). The contents of this message do not necessarily represent the views or policies of Aditya Birla Group. Computer viruses can be transmitted via email. Aditya Birla Group Companies attempts to sweep e-mails and attachments for viruses, it does not guarantee that either are virus free. The recipient should check this email and any attachments for the presence of viruses. Aditya Birla Group does not accept any liability for any damage sustained as a result of viruses. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|