Enterprises can defend against XSS flaws by carefully filtering user input and output to remove the characters...
that are associated with scripts, including =<>'"();&. In the past, most organizations focused on controlling and filtering only the input. Certainly, that's a good idea. Still, an attacker could infiltrate an application via an unguarded input stream. Some enticing targets include magnetic stripes, Electronic Data Interchange feeds and paper-based postal mail that gets scanned in and converted via OCR. If Web applications start sending an attacker's malicious browser script, users are in jeopardy. To avoid this, filter the application output for malicious scripts as well. Of course, you should also filter for any legitimate browser scripts that are used and allow them to be sent to browsers. Certain data-pulling functions, however, should never have browser scripts. In these cases, filters should be applied before the final pages are composed and sent back to the browser.
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.