Sponsored Link •
XSS has been around for a long time, but the current appetite for weblogs opens up new opportunities for attackers.
The idea is simple: a web site allows users to enter content. Somehow, the third party content gets embedded in an HTML page at the server before it is sent out to other users. Lots of sites rely on this principle: Amazon, eBay, Yahoo Groups and, of course, web logs.
What happens if the posted content contains a script?
Well, you may have seen what happens: the script gets executed on your machine.
My script is innocent enough:
it just pops up a notification.
But these scripts can be really vicious.
Gathering private data and posting it to the attacker's site is an old favorite.
The security conscious configure their browser not to execute scripts. I would heartily recommend you try that, but, if your browsing behavior is similar to mine, you will probably end up turning them back on as so many web sites rely on them. That includes sites you would expect to take security seriously. For example, I found that one of the banking applications I use relied on scripts. So users by and large allow scripts and implicitly trust the web sites they visit. This is what makes cross-site scripting or XSS so insidious: the visited web site does not control the script.
Actually, there are some things that the hosting site can and should do: it should validate the content posted and reject scripts.
I believe this is now done by some of the large eCommerce sites.
But the blogging arena is a fertile new ground for this old flower to blossom again.
I believe Artima's web logs are not a risk in this respect as there is a personal trust relationship between Bill Venners, Artima's owner, and the bloggers. Not so for many of the weblog hosts out there.
Still, I think that Bill should get this fixed and disallow posts that contain scripts. I can lend you a hand if you want, Bill.
|Johan Peeters is an independent software architect who spends a lot of time plumbing and generally fixing leaks.|