Cross Site Scripting (XSS): An Overview - Conclusion and Checklist for Data ValidateRequest

(Page 5 of 5 )

Though I have taken every care in covering all the ways of XSS attack, never take this as if you will never be attacked by cross site scripting. XSS Lovers keep on finding new ways to implement cross site scripting attack.

Remedies as input validation and HTML escaping are a start, but they must be applied at all application points that accept data. An application with a single overlooked form field is just as insecure as one that does no checking whatsoever. This article doesn't cover the complete solution to XSS-style attacks -- I've only discussed the individual approach that users and Web developers can take. To insure that we always check our data ValidateRequest is developed.

• Always do input validation.
  
• If possible do output validation as well.
  
• Never rely on client side scripting.
  
• Avoid Get method for sending data.
  
• Always use validateRequest=True;
  
• Always replace ‘(single quote-if you are storing data in a database especially) to prevent SQL Injection.
  
• Avoid using Cookies.
  
• Always verify and check the lengths of string to safeguard against stack-overwriting attacks and SQL errors.

Keep yourself updated on the topic to know “Whether attackers have found a new way to implement cross site scripting attacks.”

Helpful Links:

http://www.cert.org/tech_tips/malicious_code_mitigation.html  -- This provides mitigation strategies for preventing cross-site scripting (XSS) attacks.

Microsoft Security News -- provides a detailed description of cross-site scripting (XSS) and the problems it can cause.

In "Cross-site scripting" -- by Paul Lee, find some tactics to fix this potentially dangerous security exposure.

See also:

A Guide to building secure web applications.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Cross Site Scripting (XSS): An Overview

>>> Be the FIRST to comment on this article!