Can we please stop cross-site scripting attacks?

You'd think the Web designers and masters of a major presidential campaign site would get it right wouldn't you? I mean, they're running these sites to convince voters to get their person into the White House right? Isn't that worth a little time and trouble to make sure that the site isn't easily crackable?

Well, as anyone who tried to visit Sen. Barack Obama's campaign site's community area over the weekend only to find themselves visiting Sen. Clinton's site knows the answer is "no."

It's not just Obama's techies though. It seems that's Hillary's site is also ripe for the picking, but so far, to the best of my knowledge, no one's done it. Yet.

What is it with Web people anyway? This is political science, not rocket-science. The problem behind the Obama site exploit is yet another example of good old XSS (Cross Site Scripting). Anyone who's been paying attention to Web design and/or security has known about this one since a 2000 CERT advisory when Bill Clinton was still in the White House.

XSS, for those of you don't know it, and I quote from that original notice, comes about when "A Web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a Web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user."

The answer on how to wallop XSS is right there: make sure generated, aka dynamic, Web pages are "properly encoded to prevent unintended execution of scripts" and, this is a big one folks, validate the freaking inputs so that people can't feed your Web site's viewers poisonous garbage.

With Obama's site all that happened was a prank. These XSS security holes could have just as easily been used to really foul up the site's viewers. For example, XSS vulnerabilities are often used to rip off visitors' personal information or give them a nice case of malware. Isn't this exactly what you want your Web site to do?

It's only getting worse. Microsoft reports that malware infections on Windows PCs have jumped 55% so far this year from the first six months of 2007. And, where do these nasty programs come from? Usually they get there by way of hacked Web sites.

Great. Just great.

So, let me make a plea to everyone in charge of running a Web site. First, make sure your Website software, especially any kind of blogging or CMS (content management system) has been updated with the latest patches. OK, everyone tells you that. That doesn't mean, however, that many of you have been doing it. If you were, XSS wouldn't continue to be such a commonplace pain.

Next, may I recommend that you, if you're technically inclined, you work on implementing OWASP's (Open Web Application Security Project) AntiSamy Project on your site. AntiSamy is an API (application programming interface) that makes sure people posting to your site can't plant XSS exploits or other attack code. The developers are working on .NET and PHP packages for those who don't include programming in their skills set.

Finally, do, please do, read and put into practice the suggestions in the CERT document, Understanding Malicious Content Mitigation for Web Developers. It's pretty basic stuff, but if you just use these techniques alone you'll have a gone a long way to making sure that your Web site, and maybe even your presidential candidate, will be XSS trouble free.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies