Communications of the ACM
Securing the Tangled Web
Credit: Photobank Gallery
Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development.
Cross-site scripting (XSS)2,7,8 arises when insufficient data validation, sanitization, or escaping within a Web application allow an attacker to cause browser-side execution of malicious JavaScript in the application's context. This injected code can then do whatever the attacker wants, using the privileges of the victim. Exploitation of XSS bugs results in complete (though not necessarily persistent) compromise of the victim's session with the vulnerable application. This article provides an overview of how XSS vulnerabilities arise and why it is so difficult to avoid them in real-world Web application software development. Software design patterns developed at Google to address the problem are then described.
Comments
Michael Ayres
Every time I read about the inherent security issues in Web based computer applications, it triggers a long standing cognitive dissonance issue for me, "Why in God's name do we deploy transaction applications based on the HTTP protocol delivering HTML pages?" Of course, this immediately identifies me as an outlier, or Luddite, or just plain stupid. I get it that in the early Web days, a bank, or retaIler with an unknown customer/client based benefited by being able to deliver some transaction services to strangers that came to their Web site door. Over the years, we have build layer and layer of functionality around and on our HTML delivery standard, creating web stuff that works like a traditional application. But, since Citrix delivery of fully compiled applications has become so much more efficient, and simple for the end user clients, than its first generation versions, why have we not abandoned the web stuff where security, performance, reliability and the like are vaguely important? My wife does some telecommute work from home and we can cannot distinguish that the full blow application is not running at her office Windows PC connected to the server in the next room. When her Windows laptop crashed, we quickly and easily downloaded the Citrix Zen listener (or what ever it's called) to my MacBookPro and she continued on with a mere blink. XSS, Session Hijacking, or any of the other myriad built it risks of Web HTML apps sending most of the source code in the open, are not in the picture.Why would I not do that? I guess there is the infrastructure costs of Citrix, and that there is a whole industry for yet another WEB/HTML bolt on, or new language (Ruby on Rails) that are suited for citizen developers who know nothing else.
It seems a win-win to me for businesses, put out insecure stuff, then sell another product to fix the broken thing sold in the first place.
Displaying 1 comment