开发者

XSS: is it still a problem?

Am I right to say that XSS isn't such a problem anymore? Since IE 开发者_开发百科8/Chrome block it anyway?


No. You can still exploit XSS vulnerabilities if a page is vulnerable.


Yes, browsers have improved allot against XSS attacks. But please, NEVER thrust user input. For example a XSS attack tactic that still works.

- Escaping HTML tags.

[example] You have a search engine website with a profile that other people can see your saved searches. [/example]

When your users has the ability to save search results and share them with other users and the user save this result: " /> <iframe src=[malware]></iframe> the " /> shuts down the tag and makes it possible to enter the hackers code after it. Making it possible to steal sessions, insert images or redirect the user to another website.

This is just a little example that still works, there are allot more. Try it yourself!

More info: http://heideri.ch/jso/#html


Malicious users have not disappeared.

A lot of XSS loopholes have closed in major browsers but there are still plenty of ways people can take advantage of you.

The only thing that's changed is that as a developer, defending against XSS is easier since there are less things to block / watch for.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜