httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Saeedahmed Subedar <Saeedahmed.Sube...@birlasunlife.com>
Subject RE: [users@httpd] Cross-site scripting over ssl
Date Fri, 16 Dec 2011 05:26:27 GMT
Thanks.


Regards,

SaeedAhmed Subedar, BSLI
91-022-39961356

-----Original Message-----
From: Mark Montague [mailto:mark@catseye.org]
Sent: Thursday, December 15, 2011 8:11 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Cross-site scripting over ssl

On December 15, 2011 6:31 , Saeedahmed Subedar
<Saeedahmed.Subedar@birlasunlife.com> wrote:
>
> I have a web application on Apache Http Server over SSL. Isn't
> application level cross-site scripting taken care of since requests
> and responses are encrypted in SSL?
>


No. From https://www.owasp.org/index.php/XSS

> Cross-Site Scripting attacks are a type of injection problem, in which
> malicious scripts are injected into the otherwise benign and trusted
> web sites. Cross-site scripting (XSS) attacks occur when an attacker
> uses a web application to send malicious code, generally in the form
> of a browser side script, to a different end user. [...] The end
> user's browser has no way to know that the script should not be
> trusted, and will execute the script. Because it thinks the script
> came from a trusted source, the malicious script can access any
> cookies, session tokens, or other sensitive information retained by
> your browser and used with that site.

As an example, let's say you are running a blog on your web server, and
that the blog fails to properly sanitize comments left by readers before
storing them in its database. A malicious user could then provide
JavaScript code in a comment they leave; this JavaScript would be run in
the web browser of any user who viewed the comment, performing some bad
action that is advantageous to the attacker -- for example, serving ads
for black-market pharmaceuticals, or sending the user to a malicious web
site that attempts to take over the user's computer using
vulnerabilities in Flash, Adobe PDF Reader, or other web browser plugins.

Using SSL between the malicious user's computer and the web server
running the blog will not stop the malicious user from providing
JavaScript code in their comment.

Using SSL between the web server an other user's computers will not stop
the malicious JavaScript code in the comment from being served to the
user, nor will it stop the malicious JavaScript from being executed by
the user's web browser.

In short, encryption is completely irrelevant to cross-site scripting
attacks.

To protect against cross-site scripting, you need to make sure that any
input provided by any user can never be executed in any situation. You
need to filter out, disallow, or render harmless from user-provided
content any JavaScript, HTML, CSS, and anything else that web browsers
can interpret and act upon. The main ways of doing this are by encoding
user input so that it is not interpreted by web broswers -- for example,
replacing '<' with '&lt;' in user conent that appears in places where it
could be interpreted as HTML (this is not sufficient by itself, though,
many more things would need to be encoded too) -- or stripping out
things that could be executed (for example, if you are asking the user
to provide a numeric date, then remove from the input anything that is
not a number, a slash, or a dash). For a proper list of what you really
need to do to protect against cross-site scripting, see
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

I hope this helps.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

The information contained in this electronic communication is intended solely for the individual(s)
or entity to which it is addressed. It may contain proprietary, confidential and/or legally
privileged information. Any review, retransmission, dissemination, printing, copying or other
use of, or taking any action in reliance on the contents of this information by person(s)
or entities other than the intended recipient is strictly prohibited and may be unlawful.
If you have received this communication in error, please notify us by responding to this email
or telephone and immediately and permanently delete all copies of this message and any attachments
from your system(s). The contents of this message do not necessarily represent the views or
policies of Aditya Birla Group. Computer viruses can be transmitted via email. Aditya Birla
Group Companies attempts to sweep e-mails and attachments for viruses, it does not guarantee
that either are virus free. The recipient should check this email and any attachments for
the presence of viruses. Aditya Birla Group does not accept any liability for any damage sustained
as a result of viruses.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message