Posted By Maher Bro
Hey awl in diz tut i will be telling uhh awl countermeasures against XSS :)
Hey awl in diz tut i will be telling uhh awl countermeasures against XSS :)
Countermeasures
Check
and validate all the form fields, hidden fields, headers, cookies,
query strings and all the parameters against a rigorous specification.
Implement a stringent security policy.
Web
servers, applications servers, and web application environments are
vulnerable to cross-site scripting. It is hard to identify and remove
XSS flaws from web applications. The best way to find flaws is to
perform a security review of the code, and search in all the places
where input from an HTTP request comes as an output through HTML.
A
variety of different HTML tags can be used to transmit a malicious
JavaScript. Nessus, Nikto and other tools can help to some extent for
scanning website for these flaws. If vulnerability is discovered in one
website, there is a high chance of it being vulnerable to other attacks.
Find the script output to defeat XSS vulnerability which can prevent then from being transmitted to users.
The
entire code of the website has to be reviewed if it has to be protected
against XSS attacks. The sanity of the code should be checked by
reviewing and comparing it against exact specifications. The areas
should be checked as follows, the headers, as well as cookies, query
string from fields and hidden fields. During the validation process,
there must be no attempt to recognize the active content, neither to
remove the filter nor sanitize it.
There
are many ways to encode the known filters for active content. A
“positive security policy” is highly recommended, which specifies what
has to be allowed and what has to be removed. Negative or attack
signature-based policies are hard to maintain, as they are incomplete.
Input fields should be limited to a maximum since most script attacks need several characters to get granted.
0 comments:
Post a Comment