Still playing catch up after my recent travels – but this article still bears mentioning.
I saw this article about Web 2.0 phishing a while ago and was intrigued. The basic premise is that new “Web 2.0” phishing attacks will overtake phishing emails as spam filters get better. This is an excellent idea and deserves more specific discussion.
First of all – any self-respecting organization that does web development has hopefully purchased a web application scanner by this point and they are running it against any public-facing application. These scanners are great (well, reasonably good) at finding Cross Site Scripting (XSS) and SQL Injection flaws. Anyone who is deploying web applications ought to be using one because that is just good due care. <shameless_plug>If you don’t have one, please give us a call at Denim Group – we are resellers for all of the good ones and we provide training on how to use them, what they do, and what they won’t do so you can understand where they fit into a comprehensive application security program.</shameless_plug>
How do you defend against this? Unfortunately I can only repeat advice from the past:
- Escape untrusted data before it is sent to an output stream – Whether this comes directly from user input or from a data store that isn’t completely under control of your application this is the only sure-fire way to prevent Cross Site Scripting (XSS) attacks. If, any time you display input from a potentially malicious source, you HTML escape the output you will not have any problems with cross site scripting. Remember that untrusted sources include user inputs as well as data pulled from data sources. Think you can trust the data in your database? Ask yourself how many other applications have write access to that database and how confident you are about the filtering your application has had in place over time. When in doubt – filter. We find that 98% of the time you don’t need special characters from datasources and when that is the case there is no harm in HTML escaping everything before it gets sent out the door.
Yes – Web 2.0 technologies allow for much more interesting and sophisticated payloads to be used in Cross Site Scripting (XSS) attacks. And yes as spam filters get smarter this may become an easier attack vector. However the countermeasures against these problems haven’t become any more sophisticated – only the sophistication of the attackers who are looking to exploit age-old issues in applications that should have been solved long ago. A more sophisticated exploit against a common problem doesn’t matter if that common problem has already been appropriately remediated.
dan _at_ denimgroup.com