To prevent XSS you will have to escape all the strings coming from GET/POST/COOKIES before you output them. You should escape things that come from other sources as well in case there is XSS attack string (for example dont include posts from RSS without escaping them properly).
From time to time I like to read some non technical books. It always gives you some new perspective on life and you can easily pick up on skills that were completely neglected : -)
10 Day MBA is very good book. It is written in simple and easy to read way. It provides nice overview of marketing, accounting, planning strategy etc. All the pieces you need to understand better how businesses work and how money is earned.
When i say you should not generate CSS files dynamically i mean actually you should not put PHP variables into it.
From my experience it causes all sorts of problems from security to performance and caching. If you do not have to do it just don't. You cant still merge CSS files to have less requests per page and this is fine, but do not generate each file dynamically just join them and make sure its a safe way to do so.
Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.
French OS Con website is and example of that XSS security risk.
The simplest way to find XSS security hole is to look for forms and ajax calls that result in printing request parameters on the returned page.
Here is some simple example which took 5 mins to find. Just go to a website you want to verify and look for forms and action urls.
This example shows UCD website XSS vulnerability (possible in 2010).
This is a sample to show how to locate XSS attacks, do not try to hack sites this way
This post is my final look at the total of nearly 1200 pages long CISSP book.
In the end i think it was not a total waste of time as i really liked the physical security chapter and also chapter about cryptography was not that bad. Maybe it was not that bad of a refresh. But was it really worth it?
I would definetly not recommend it as i cant see who can really benefit from that book, its not senior and not junior, does not explain things well nor provide deep insights. Its just a too long poorly written book in my opinion.
Cross site scripts lead to a number of security issues. The most important to remember are:
- Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
- Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all
I have worked with SOAP services from time to time but now i have actually even nicer way to debug them. I still use SOAPUI as its an amazing tool but now i can easily see what is PHP doing :- )
Before, i would simply log everything in raw xml with headers etc. before i sent it out and whenever i got a response back i would log hat too. This is a great way to keep history of what was actually sent and what did we actually get back in case of any investigations etc. It does not impact the performance that much if your volumes of calls are low so you can even enable it temporarily on production servers to see what is there.
It is a simplified version of firebug but the good thing is that it works in any browser so you can use debigging and inspecting of your code and pages in any browser in the same way.
About the author
Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!
If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.