Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best Practice: Legitimate Cross-Site Scripting

Tags:

While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary.

I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple bare-bones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong.

Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought iFrame - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page.

In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript.

A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors.

My solution was as follows:

My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters (\n) followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template.

While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?

like image 469
Ryan Avatar asked Sep 09 '08 19:09

Ryan


People also ask

What is a good solution for cross-site scripting?

The common remedy for stored XSS attacks is to sanitize input on both the front end and back end of the application. Sanitizing involves a combination of validating data and escaping special characters or completely filtering those out and is a common best practice for web and JavaScript security.

What is the most effective defense against cross-site scripting attacks?

A web application firewall (WAF) can be a powerful tool for protecting against XSS attacks. WAFs can filter bots and other malicious activity that may indicate an attack. Attacks can then be blocked before any script is executed.

What is an example of cross-site scripting?

A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result. Attackers typically send victims custom links that direct unsuspecting users toward a vulnerable page.


1 Answers

You've got three choices:

  1. Create a server side proxy script.
  2. Create a remote script to read in remote dynamic HTML. Use a library like jQuery to make this easier. You can use the load function to inject HTML where needed. EDIT What I originally meant for example # 2 was utilizing JSONP, which requires the server side script to recognize the "callback=?" param.

  3. Use a client side Flash proxy and setup a crossdomain.xml file on your server's web root.

like image 133
Jake McGraw Avatar answered Oct 14 '22 07:10

Jake McGraw