Comments on: Twitter Worm: How It Could Have Been Prevented http://blog.impactalabs.com/2009/04/14/twitter-worm-how-it-could-have-been-prevented/ Sun, 06 Jun 2010 23:16:06 +0000 hourly 1 http://wordpress.com/ By: Kevin Lam (IMPACTA) http://blog.impactalabs.com/2009/04/14/twitter-worm-how-it-could-have-been-prevented/#comment-163 Kevin Lam (IMPACTA) Tue, 21 Apr 2009 15:45:03 +0000 http://blog.impactalabs.com/?p=377#comment-163 These are great Michael, thanks for sharing! --Kevin These are great Michael, thanks for sharing!

–Kevin

]]> By: Michael R(homecoder) http://blog.impactalabs.com/2009/04/14/twitter-worm-how-it-could-have-been-prevented/#comment-162 Michael R(homecoder) Fri, 17 Apr 2009 12:55:47 +0000 http://blog.impactalabs.com/?p=377#comment-162 Thanks again for another great article Kevin. If you are programming on other languages (Non-MS), XSS can easily be combat. There is a project for PHP called: HTML Purifier: http://htmlpurifier.org/ Tutorial on XSS Prevention in Ruby: http://www.oopcenter.com/article/ruby-on-rails/protecting-against-cross-site-scripting-in-ruby.html XSS Prevention in Perl: http://www.perl.com/pub/a/2002/02/20/css.html For ColdFusion I have only found a commercial ($10) mod to assist with XSS, but due to the fact its commercial I won't link it. Also, there is "Web Vulnerability Scanner" available (Free Version does XSS Checks): http://www.acunetix.com/cross-site-scripting/scanner.htm This application (for a note) is by no way the end-all for XSS attacks, but certainly does a good job to prevent the Script Kids (People who find vulnerabilities on the internet and execute them for no reason, and dont possess the skill to find vulnerabilities themselves) from attacking your site. I believe that many developers (along with myself at one point) don't take application security seriously enough, and work with well known (buzz word) attacks, such as SQL Injection. I previously didn't look into it too deeply as I said "Who would want to attack me?" as I didn't run any large-scale sites. But I can say from experience, that without a doubt, those few extra keystrokes (especially if you look at Kevin's tutorial how EASY it is) will save you a LOT of fighting, digging, apology emails, cleaning, etc. Thanks again for another great article Kevin.

If you are programming on other languages (Non-MS), XSS can easily be combat.

There is a project for PHP called: HTML Purifier:

http://htmlpurifier.org/

Tutorial on XSS Prevention in Ruby:

http://www.oopcenter.com/article/ruby-on-rails/protecting-against-cross-site-scripting-in-ruby.html

XSS Prevention in Perl:

http://www.perl.com/pub/a/2002/02/20/css.html

For ColdFusion I have only found a commercial ($10) mod to assist with XSS, but due to the fact its commercial I won’t link it.

Also, there is “Web Vulnerability Scanner” available (Free Version does XSS Checks):

http://www.acunetix.com/cross-site-scripting/scanner.htm

This application (for a note) is by no way the end-all for XSS attacks, but certainly does a good job to prevent the Script Kids (People who find vulnerabilities on the internet and execute them for no reason, and dont possess the skill to find vulnerabilities themselves) from attacking your site.

I believe that many developers (along with myself at one point) don’t take application security seriously enough, and work with well known (buzz word) attacks, such as SQL Injection.

I previously didn’t look into it too deeply as I said “Who would want to attack me?” as I didn’t run any large-scale sites. But I can say from experience, that without a doubt, those few extra keystrokes (especially if you look at Kevin’s tutorial how EASY it is) will save you a LOT of fighting, digging, apology emails, cleaning, etc.

]]>