A List Apart


Community Creators, Secure Your Code!

Community Creators, Secure Your Code!

Personalization is a great feature, it allows users to make their personal pages come to life by adding colors, pictures, and even sound, but as with any user input, it is a security threat if not properly sanitized. The creation of a secure online community is a balancing act: your users should be able to personalize their pages using pseudo code or actual HTML, while remaining protected from vandals who might inject malicious JavaScript or otherwise cause harm.

Article Continues Below

One piece of the larger security puzzle is cross-site scripting (XSS). In part one of this two-article series, we will look at various XSS techniques you should be aware of, and at common methods of defending your community against them. In part two, we’ll use real-world examples to explore these techniques in greater detail.

The threat

Malicious JavaScript injections are a threat at many levels. Using a full-fledged injection, an attacker could:

  • Change the presentation of the attacker’s personal pages in a forbidden way (this is the lowest level of severity, but could produce a misleading or confusing experience for other users).
  • Execute an action whenever a user enters the attacker’s page, such as voting for the attacker in a poll or adding the attacker to a buddy or “trusted” list.
  • Infect the personal pages of users who visit the attacker’s page, creating a spreading virus that might, in turn, execute malicious code or propagate spyware /viruses that exploit security flaws in popular browsers.

These are just three examples of what an attacker might do, but two things are already clear:

  1. XSS is a real threat. MySpace and many other community sites have already been attacked or compromised.
  2. Webmasters should, therefore, make sure that their sites are properly protected.

A real-world example using eval() and AJAX

By using the eval() function, an attacker can execute long JavaScript commands and even self-made functions. The attacker could, for instance, use the XMLHTTP request object (the core component of AJAX) to send or retrieve a piece of information. A insertion that would force the victim to vote for the attacker could look something like this:

  // IE only (to shorten the example)
  http_request = new ActiveXObject(“Microsoft.XMLHTTP”);  // The string to POST (Taken from the community)
  send = “vote-id=123456789&vote=10”;  // We send the data to our function “nullfunction” 
  http_request.onreadystatechange = nullfunction;  // Send it to the right page
  http_request.open(“POST”, “voteOnAuser.php”, true);
  // Sending as form data
  http_request.setRequestHeader(“Content-type”, “application/
  http_request.setRequestHeader(“Content-length”, send.length);
  http_request.setRequestHeader(“Connection”, “close”);  // Send
  http_request.send(send);  // In our case we don’t want to use the data being returned. 
    If we’d wanted to (for example, to get our user id or any 
    other information) we could have used this function to 
    process the data. 
  function nullfunction() {
  if (http_request








33 Reader Comments

Load Comments