Saturday, July 19, 2008

Cross-Site Scripting - the Gateway Drug

Remember when you were younger (or for some of you that's now...) and your parents told you that pot was a "gateway drug"? The whole message was that once you got into smoking the reefer, you would be much more exposed to other dangerous drugs and therefore would fall victim more easily.

Let's put that into the web app security context. I know, I know... it's not exactly the same thing but hear me out. If you're open to XSS, or script injection of some kind... it's only a matter of time before someone moves on to bigger and better attacks on your site. CSRF, SQLi to name the things you'll be getting hit with next, and it's all about where you start. Sure, Cross-Site Scripting is relatively simple to detect, and requires you to trick a user into doing something... to exploit themselves - but if you're open to script attacks it means you're not validating and sanitizing input or output... this leads to possible CSRF if you're a transactional application - or worse... SQL injection! If Cross-Site Scripting is pot's equal... SQL injection has to be like... crystal meth or something. Dangerous to the point where it'll kill you and potentially blow up the whole place.

... and my parents said I never paid attention to them. Ha!

No comments: