In a recent visit to a website I found a xss and sql injection vulnerabilities in which the search capability of the site didn't properly sanitize user input. I reported this to the website owner and they promised to fix it and did the very next day. The problem with the fix. Their coders sanitized the output of the keywords, not the input, so all of the other places on that same page they used those keywords was another injection point using a slightly modified input string.
So if the developer had listened to the original suggestions of input validation they wouldn't have had this secondary issue. I still think that sanitizing output is probably a good idea to avoid any race conditions between time of check and time of use(TOCTOU) in case the value can be manipulated in some other way that might avoid your magical input validation / sanitization.
Example:
http://www.________.com/search/?search=&query=%22%3E%3Cscript%3Ealert%28%22ESRL%22%29%3B%3C%2Fscript%3E%3C
Resources:
Reviewing code for XSS issues at OWASP
GNUCitizen XSS DB
XSS Cheat Sheet (rsnake)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment