Results 1 to 3 of 3
  1. #1

    WebApp Cross Site Scripting

    ScanAlert is complaining that I have WebApp Cross Site Scripting vulnerability on my web site. They refer to one of my search scripts. The script takes the search parameters from the web site and then returns the search results. Sometimes instead of the search results, it produces a page with a different search form.

    I have read something about this vulnerability, and it is advised to change all < and > tags to &lt; and &gt; for text/HTML of the tag itself.

    My question is am I supposed to change all < and > tags on the web page that run that script from or do you I have to do it inside of the CGI scrip that prints results in HTML?

  2. #2
    Here is what ScanAlert suggests:

    "Ensure you turn the > and < into their HTML equivalents before sending it back to the browser.
    Ensure that parameters and user input are stripped of HTML tags before using."

    Are they talking about the script itself or the web page that executes that CGI script?

  3. #3
    Join Date
    Nov 2001
    What you need to do, in essence, is always treat all user input as suspect and potentially dangerous.

    If a user can input arbitrary HTML or Javascript without any limits into one of your form fields, your application's output may be compromised with html you don't intend, or malicious javascript code.

    Essentially you need to escape user-supplied input including special characters > < &. You need to do this on the server side when you retrieve the data from the form (or a variable obtained via a GET too).
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts