Chapter 12  ■ Attacking Other Users

Validate Output

As with reflected XSS flaws, applications can perform HTML-encoding of

user-controllable DOM data before this is inserted into the document. This will

enable all kinds of potentially dangerous characters and expressions to be dis-

played within the page in a safe way. HTML encoding can be implemented in

client-side JavaScript with a function like the following:

function sanitize(str)

{

var d = document.createElement(‘div’);

d.appendChild(document.createTextNode(str));

return d.innerHTML;

}

Preventing XST

The XST technique depends upon finding some XSS flaw that allows the

attacker to insert arbitrary JavaScript into a page viewed by another user.

Hence, eliminating all XSS vulnerabilities ought to remove any opportunities

for an attacker to use the technique. Nevertheless, it is recommended both that

all cookies are flagged as 

HttpOnly

and that the 

TRACE

method is disabled on

the web server hosting the application.

Download 5,76 Mb.

Do'stlaringiz bilan baham: