The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws



Download 5,76 Mb.
Pdf ko'rish
bet731/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   727   728   729   730   731   732   733   734   ...   875
Bog'liq
3794 1008 4334

426

Chapter 12 



Attacking Other Users

70779c12.qxd:WileyRed  9/14/07  3:14 PM  Page 426


Preventing DOM-Based XSS

The defenses described so far obviously do not apply directly to DOM-based

XSS, because the vulnerability does not involve user-controlled data being

copied into server responses.

Wherever possible, applications should avoid using client-side scripts to

process DOM data and insert it into the page. Because the data being

processed is outside of the server’s direct control, and in some cases even out-

side of its visibility, this behavior is inherently risky.

If it is considered unavoidable to use client-side scripts in this way, DOM-

based XSS flaws can be prevented through two types of defenses, correspond-

ing to the input and output validation described for reflected XSS.

Validate Input

In many situations, applications can perform rigorous validation on the data

being processed. Indeed, this is one area where client-side validation can be

more effective than server-side validation. In the vulnerable example

described earlier, the attack can be prevented by validating that the data about

to be inserted into the document only contains alphanumeric characters and

whitespace. For example:

In addition to this client-side control, rigorous server-side validation of URL

data can be employed as a defense-in-depth measure, in order to detect

requests that may contain malicious exploits for DOM-based XSS flaws. In the

same example just described, it would actually be possible for an application

to prevent an attack by employing only server-side data validation, by verify-

ing that:

■■

The query string contains a single parameter.



■■

The parameter’s name is 

message

(case-sensitive check).

■■

The parameter’s value contains only alphanumeric content.



With these controls in place, it would still be necessary for the client-side

script to parse out the value of the 

message

parameter properly, ensuring that

any fragment portion of the URL was not included.


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   727   728   729   730   731   732   733   734   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish