Q

To prevent cross-site scripting, should specific words and characters be rejected?

In this expert Q&A, John Strand explains which application development best practices can stop cross-site scripting attacks.

I'm interested in preventing cross-site scripting (XSS) attacks. If we reject characters and words like <, >, script, -- and their equivalent entity values, etc., that can cause malicious attacks -- it increases the cost of application development. Would you recommend this course of action?
No. Instead, I recommend that developers code their applications to only allow the required set of characters necessary for the application to function properly. That is an application development best practice.

Many organizations view secure coding as an activity that is supposed to happen at the end of the development process.

However, if someone testing an application at the end of the development lifecycle says an application needs recoding to ensure its security, that application will need to be reworked and retested, along with any other application that interacts with it. This constant tweaking is often far more expensive than implementing an iterative security process throughout an application development lifecycle.

If there is a field called "State," for example, there is no reason to allow <, > ;, *, --, or : as possible values. If application developers write code from the perspective of only accepting known good values, it decreases the overall cost of application development by cutting quality assurance and certification and accreditation testing.

For more help, a great framework to use is the Scalable & Agile Lifecycle Security for Applications.

More information:

  • Video: Security researchers at Information Security Decisions 2008 recently discussed how to keep enterprises safe from cross-site scripting and buffer overflows.
  • This was first published in January 2009

    Dig deeper on Web Application Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close