HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: May 2006

Common Misconceptions in Web Application Security, Part 1



During the past few months, I have noticed a big
misconception when it comes to Cross-site scripting. There is a myth floating
around that using the POST method instead of the GET method will eliminate
Cross-site scripting or make the vulnerability insignificant. Unfortunately,
this just masks the problem, leaving the vulnerability there. All that is
required is just a different method of exploitation.







A Cross-site scripting attack that is GET based, normally
involves an individual following a URL sent to them with script injected in it.
To exploit a POST based Cross-site scripting attack, it usually requires one
extra step. Instead of sending a URL to the user that has Cross-site scripting
in the web application, the attacker can send a URL to a page the attacker
controls with a form in it. By using the BODY tag with the onload attribute,
viewing the page can cause your browser to auto-submit with a POST method to
the vulnerable web application injecting script. The script that gets injected
can do everything a GET based Cross-site scripting attack can do but the URL in
the address bar doesn’t have any parameters with script in them.

 



To truly fix Cross-site scripting that is POST or GET based,
it requires encoding of characters with a technique called White listing. This
technique says that when filtering characters, you need to encode anything that
you weren’t explicitly looking for. If you take the alternative approach to
only encode dangerous characters like > or < then you leave possibilities
for different permutations that were unexpected.

Search
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation