Thursday, November 22, 2012

XSS - Possible measures

I understand that there are some tools like Nessus and Nikto that would help detect such attacks. I have no idea about them though. Just came across these stuffs and hence though of sharing the same.

Following is a shame less copy and paste. Again just wanted to share what I read.


How to Protect Yourself

The primary defenses against XSS are described in the OWASP XSS Prevention Cheat Sheet.
Also, it's crucial that you turn off HTTP TRACE support on all webservers. An attacker can steal cookie data via Javascript even when document.cookie is disabled or not supported on the client. This attack is mounted when a user posts a malicious script to a forum so when another user clicks the link, an asynchronous HTTP Trace call is triggered which collects the user's cookie information from the server, and then sends it over to another malicious server that collects the cookie information so the attacker can mount a session hijack attack. This is easily mitigated by removing support for HTTP TRACE on all webservers.
The OWASP ESAPI project has produced a set of reusable security components in several languages, including validation and escaping routines to prevent parameter tampering and the injection of XSS attacks. In addition, the OWASP WebGoat Project training application has lessons on Cross-Site Scripting and data encoding.

And I guess you can get more ideas on the possible ways by which you can be exploited in http://ha.ckers.org/xss.html.
Hope this helps :)

No comments:

Post a Comment