Preventing XSS attacks

Discussion in 'other security issues & news' started by Rmus, May 12, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    In this thread elio discusses various scenarios that can carry out an XSS attack, and he posts code to demonstrate this.

    I would like to consider just one scenario: your login page on a secure site has been compromised.
    As soon as you enter your user ID and password, this information is sent to the hacker.

    The weakness in this attack is at the point when the information is sent out via the browser.
    Here lies one method of prevention.

    It requires that you have three browser rules in your firewall ruleset:
    • 1) HTTP Port 80 any address: this is your normal surfing rule - all traffic permitted

    • 2) HTTP Port 80 custom addresses: here, you enter any HTTP address that your transaction sites use

    • 3) HTTPS Port 443 custom addresses: same as rule 2) but HTTPS
    Here is my rule set:

    The second two rules have created a White List (custom addresses) of permitted IPs.
    You would enter all of the URLs for your secure sites into the Custom Addresses.

    Then, before going to your secure site, you disable the first browser rule, which then passes
    the check down to the next rules and nothing can connect out that is not on this White List (Custom Addresses).

    Here is the demo script, modified to attempt to connect out to send the information.
    The wikipedia link substitutes for a hackers IP.

    In addition, you can see that his demo script loads a test page to indicate that the attack
    would have been successful.

    However my test shows that it can be blocked: since the wikipedia link is not on the White List,
    the request to connect out is not successful:

    At this point, an alert user would know that something is amiss.

    Several mentioned that this method is cumbersome, so I'm hoping that others
    can suggest ways of preventing this type of attack.



    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  2. lucas1985

    lucas1985 Retired Moderator

    Nov 9, 2006
    France, May 1968
    Subscribed to this thread :thumb:
Thread Status:
Not open for further replies.