Oops! I broke Security Now!

I listen to Leo Leporte and Steve Gibson talk about Internet security on the weekly podcast Security Now. I just posted a comment on the show about cross-site scripting attacks. I didn't realize that I was attacking the site myself!

My comment was this:

Validating user input, while a good idea, is not the fix for CSS attacks. As Steve pointed out, it is nearly impossible to accurately detect script in the input.

The fact is, the CSS vulnerability is a defect in the output of a system, not the input. If I tell a web site that my name is "<script>", it should reply "Hello, <script>!". The way you say this in HTML is "Hello, &lt;script&gt;!".

If web developers simply escaped their output, the problem would be solved.

When the site served this comment back, it failed to escape the word "<script>". As a result, the remainder of this comment and all comments that followed were hidden.

I posted the comment a second time, this time escaping it myself on the way in. Hopefully someone can go back into the database and delete the first one.

Sorry Steve!

One Response to “Oops! I broke Security Now!”

  1. Charles Martin Says:

    Oh, the irony! The Horror!!!

Leave a Reply

You must be logged in to post a comment.