Sign In

Communications of the ACM

Practice

Securing the Tangled Web


Securing the Tangled Web, illustration

Credit: Photobank Gallery

back to top 

Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development.

Cross-site scripting (XSS)2,7,8 arises when insufficient data validation, sanitization, or escaping within a Web application allow an attacker to cause browser-side execution of malicious JavaScript in the application's context. This injected code can then do whatever the attacker wants, using the privileges of the victim. Exploitation of XSS bugs results in complete (though not necessarily persistent) compromise of the victim's session with the vulnerable application. This article provides an overview of how XSS vulnerabilities arise and why it is so difficult to avoid them in real-world Web application software development. Software design patterns developed at Google to address the problem are then described.


Comments


Michael Ayres

Every time I read about the inherent security issues in Web based computer applications, it triggers a long standing cognitive dissonance issue for me, "Why in God's name do we deploy transaction applications based on the HTTP protocol delivering HTML pages?" Of course, this immediately identifies me as an outlier, or Luddite, or just plain stupid. I get it that in the early Web days, a bank, or retaIler with an unknown customer/client based benefited by being able to deliver some transaction services to strangers that came to their Web site door. Over the years, we have build layer and layer of functionality around and on our HTML delivery standard, creating web stuff that works like a traditional application. But, since Citrix delivery of fully compiled applications has become so much more efficient, and simple for the end user clients, than its first generation versions, why have we not abandoned the web stuff where security, performance, reliability and the like are vaguely important? My wife does some telecommute work from home and we can cannot distinguish that the full blow application is not running at her office Windows PC connected to the server in the next room. When her Windows laptop crashed, we quickly and easily downloaded the Citrix Zen listener (or what ever it's called) to my MacBookPro and she continued on with a mere blink. XSS, Session Hijacking, or any of the other myriad built it risks of Web HTML apps sending most of the source code in the open, are not in the picture.Why would I not do that? I guess there is the infrastructure costs of Citrix, and that there is a whole industry for yet another WEB/HTML bolt on, or new language (Ruby on Rails) that are suited for citizen developers who know nothing else.

It seems a win-win to me for businesses, put out insecure stuff, then sell another product to fix the broken thing sold in the first place.


Displaying 1 comment

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.
  

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.