XSS Is a Really

By Lisa Vaas  |  Posted 2007-05-09 Print this article Print

Easy Mistake to Make"> If this is coming from Sun, who can we trust? "Youll see that the tutorial never mentions security," Chess said. "With that in mind, its not surprising that it contains cross-site scripting vulnerabilities."

The problem is that Java—and other Web programming languages—make XSS a "really easy mistake to make," he said. "Think of writing the simplest Web page: The first thing you might do when you build a Java Web application. You tell it your name and it says Hello, Brian when I type in my name. The functions that Java provides just to do a Hello, world function will allow XSS."
Web frameworks built into the Java language also make it easy to write an XSS vulnerability into Java code, he said.
"Worse, on top of that, is when we go and teach people how to write code in Java, we give examples of code thats vulnerable to XSS," he said. As it now stands, the responsibility to watch for the most common Java security traps lies completely with the developer. Can this situation ever be remedied? It could be, but it wouldnt be easy, Chess said. One step toward a solution would be to modify browsers to make XSS harder. What that would require is changing a Web standard and getting all the browser biggies—Microsoft, Mozilla and Apple—to sign on. Even if somebody did talk them into going along with the plan, it would require a new browser to be pushed out to millions of users. "The fastest we could change that stuff, it would take years," Chess said. "[Changing] the fundamentals of frameworks or languages, that takes a really long time to do." The reason why XSS deserves such a beating is because the situation more and more parallels where we were with buffer overflows 10 years ago. Both security vulnerabilities are very powerful for attackers, Chess said, as the flaws allow attackers to inject code into a system and provide complete takeover. The reason buffer overflows have been such a problem is that frameworks in C and C++ made them very easy to create, he said. It happened with buffer overflows, and now its happening with XSS. Researcher: JavaScript attacks are getting slicker. Click here to read more. Where it diverges, though, is that buffer overflows are somewhat hard to exploit, Chess said, requiring an attacker to be fairly knowledgable about a systems architecture and whats happening on that machine. "XSS vulnerabilities are much easier to exploit," he said. "Just go to your local bookstore, buy a book on JavaScript and you can get started on XSS." Its not a great state of affairs, but its not time to throw in your hat, either. Fortify has seen open-source projects where developers have clearly taken an effort to prevent XSS. Such projects may have a few XSS vulnerabilities, compared with a project of similar scope from a clueless developer that has 50. "We see when developers pay attention to it they can bring their numbers down," Chess said. Still, Chess said, Fortify hasnt seen a magic turnover where developers are waking up to secure Java coding practices. Rather than relying on those developers, a more effective route may be to talk to framework owners and software makers to see what can be done to make the Web a safer place to program, Chess said. That, however, is no quick fix either. "Its going to be a long road," he said. Editors Note: This story was updated to correct HTML codes around the < and > characters in the code sample, to add input from William Pugh and to correct Brian Chess quote on what kind of book to buy to get started on XSS. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel