The MSDN “Hackers” blog had a great post today about bad approaches to preventing Cross Site Scripting vulnerabilities. When I am doing training classes for developers on software security I run into a lot of skepticism from time to time where developers don’t want to fix problems because they think they are already protected because of goofy home-grown protective measures they have in place. I have my standard set of examples that I like to run through of how to defeat black-list input validation and so on and this post is a great, structured example of more of the same. It does a great job of stepping through some ineffective protective measure and potential exploits that work around the so-called protection.
This reminds me of some of the discussion in “Secure Programming with Static Analysis” where Brian Chess and Jacob West discourage software security personnel from focusing on exploitability. They are right – spending a bunch of time to demonstrate how to get around each flawed protection mechanism is a waste of time that could be spent fixing issues and actually implementing proper protection.
dan _at_ denimgroup.com