cross-site scripting
Posted: Sat Oct 26, 2019 10:11 am
After Skype session yesterday I was discussing some security aspects with Andreu.
Andreu helps me to understand some risks better. I am focused on the firewall but it seems also in programming we must be careful.
but we have to give a security concept to mod harbour starters
Andreu, 19:43
to be fair, I think for starting on the web it's far better to focus on things like XSS
what is XSS
cross-site scripting
it's a web security attack that goes like this:
on your website, you have an input for the user that will be visible to everyone – for example, a comment form on a blog post
and the server-side code used to store and display that comment doesn't escape the input
some malicious user could add input with scripts in the HTML, which could publish private data like cookies
you'd have to escape the input on the server so that it can't be rendered as a script when it's displayed
it's not an attack against the server, but against fellow users of the service
nowadays the web platform offers you tools so that you can block scripts without actually having to escape the input on the server-side
but while some of those are good, if you ask me the complete package is more trouble than just escaping every input
Andreu helps me to understand some risks better. I am focused on the firewall but it seems also in programming we must be careful.
but we have to give a security concept to mod harbour starters
Andreu, 19:43
to be fair, I think for starting on the web it's far better to focus on things like XSS
what is XSS
cross-site scripting
it's a web security attack that goes like this:
on your website, you have an input for the user that will be visible to everyone – for example, a comment form on a blog post
and the server-side code used to store and display that comment doesn't escape the input
some malicious user could add input with scripts in the HTML, which could publish private data like cookies
you'd have to escape the input on the server so that it can't be rendered as a script when it's displayed
it's not an attack against the server, but against fellow users of the service
nowadays the web platform offers you tools so that you can block scripts without actually having to escape the input on the server-side
but while some of those are good, if you ask me the complete package is more trouble than just escaping every input