On Tue, 4 Apr 2006, Javor Ninov wrote:
> So you mean that XSS is not trivial and difficult to spot ?
> For today code XSS is unacceptable and speaks very [poorly] for the
> author.
A lot of XSS might be "lame," but some of it is rather interesting and
complex. Our terminology might not be precise enough to capture this, but
not all XSS is created equal, and that should be accounted for in trying
to measure how well a product has been designed and implemented.
I think it's perfectly understandable if a vendor doesn't realize that
this input:
<script<
will bypass their regexp that strips out anything between a "<" and ">",
but it can still be rendered by browsers that automatically treat the
second "<" as if it is the closing ">"
Or this input:
java
script:alert('hi')
which, despite having a CRLF right in the middle of a special keyword, can
still be processed.
Or, as was recently discussed in a paper announced to this list, by
whitelisting just "<b>" tags using PHP's strip_tags() function, then this
will work:
<b onmouseover="badstuff">hello</b>
Or the DOM-based XSS attacks where there are no syntactic clues to the
issue, at least not in the usual places...
If you look at a number of the XSS issues in popular web mail services,
many of them involve non-standard browser behaviors.
- Steve
