Where can an XSS injection occur on your page - different scopes need different escaping

XSS can be caused by inserting pieces of html or javascript in different places of the page (HTML) or CSS / JS files loaded.

To prevent XSS you will have to escape all the strings coming from GET/POST/COOKIES before you output them. You should escape things that come from other sources as well in case there is XSS attack string (for example dont include posts from RSS without escaping them properly).

Review - 10 Day MBA

From time to time I like to read some non technical books. It always gives you some new perspective on life and you can easily pick up on skills that were completely neglected : -)

10 Day MBA is very good book. It is written in simple and easy to read way. It provides nice overview of marketing, accounting, planning strategy etc. All the pieces you need to understand better how businesses work and how money is earned.

Why you should not insert variables into your dynamic CSS files

When i say you should not generate CSS files dynamically i mean actually you should not put PHP variables into it.

From my experience it causes all sorts of problems from security to performance and caching. If you do not have to do it just don't. You cant still merge CSS files to have less requests per page and this is fine, but do not generate each file dynamically just join them and make sure its a safe way to do so.

Type of XSS attack where you inject JS into the links on the page

Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.

French OS Con website is and example of that XSS security risk.

Locating simpliest XSS vulnerabilities

The simplest way to find XSS security hole is to look for forms and ajax calls that result in printing request parameters on the returned page.

Here is some simple example which took 5 mins to find. Just go to a website you want to verify and look for forms and action urls.

This example shows UCD website XSS vulnerability (possible in 2010).

This is a sample to show how to locate XSS attacks, do not try to hack sites this way

Review - SISSP Exam Guide Fourth Edition - 8-11 and summary

This post is my final look at the total of nearly 1200 pages long CISSP book.

In the end i think it was not a total waste of time as i really liked the physical security chapter and also chapter about cryptography was not that bad. Maybe it was not that bad of a refresh. But was it really worth it?

I would definetly not recommend it as i cant see who can really benefit from that book, its not senior and not junior, does not explain things well nor provide deep insights. Its just a too long poorly written book in my opinion.

XSS attack within CSS file or injected into page inline style

There is a very little known method of injecting javascript int CSS files. It would not work in all the browsers (works in my latest IE8) but it is important fact to know.

Basics of Cross Site Scripting AKA XSS and XSFR

Cross site scripts lead to a number of security issues. The most important to remember are:

  • Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
  • Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all

More efficient ways of debugging SOAP based Web Services from PHP

I have worked with SOAP services from time to time but now i have actually even nicer way to debug them. I still use SOAPUI as its an amazing tool but now i can easily see what is PHP doing :- )

Before, i would simply log everything in raw xml with headers etc. before i sent it out and whenever i got a response back i would log hat too. This is a great way to keep history of what was actually sent and what did we actually get back in case of any investigations etc. It does not impact the performance that much if your volumes of calls are low so you can even enable it temporarily on production servers to see what is there.

Cross browser debugging of javascript code with ExtJS debug console

I have came across a nice new javascript debugging console from ExtJS.

It is a simplified version of firebug but the good thing is that it works in any browser so you can use debigging and inspecting of your code and pages in any browser in the same way.

Syndicate content

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS