The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Internet Explorer, the following script will make a 

TRACE

request and display

the response in a dialog, including any cookies submitted in the request:

Current browsers block 

TRACE

requests using the 

XMLHttpRequest

object,

and XST attacks are no longer viable at the time of this writing.

Preventing XSS Attacks

Despite the various different manifestations of XSS, and the different possibil-

ities for exploitation, preventing the vulnerability itself is in fact conceptually

straightforward. What makes it problematic in practice is the difficulty of iden-

tifying every instance in which user-controllable data is handled in a poten-

tially dangerous way. Any given page of an application may process and

display dozens of items of user data. In addition to the core functionality, there

are error messages and other locations in which vulnerabilities may arise. It is

hardly surprising, therefore, that XSS flaws are so hugely prevalent, even in

the most security-critical applications.

Different types of defense are applicable to reflected and stored XSS on the

one hand, and to DOM-based XSS on the other, because of their different root

causes.

Download 5,76 Mb.

Do'stlaringiz bilan baham: