For instance, if the developer
removed apostrophes (??™), some people with the last name O??™Reilly, or the like, would be
frustrated that their last name is not displayed properly.
We highly discourage developers to remove strings, because strings can be represented
in many ways. The strings are also interpreted differently by applications and
50 Hacking Exposed Web 2.0
browsers. For example, the SAMY worm took advantage of the fact that IE does not consider
new lines as word delimiters. Thus, IE interprets javascript and jav%0dascr%0dipt
as the same. Unfortunately, MySpace interpreted new lines as delimiting words and allowed
the following to be placed on Samy??™s (and others??™) MySpace pages:
We recommend escaping all user-supplied data that is sent back to a web browser within
AJAX calls, mobile applications, web pages, redirects, and so on. However, escaping
strings is not simple; you must escape with URL encoding, HTML entity encoding, or JavaScript
encoding depending on where the user-supplied data is placed in the HTTP responses.
Preventing UTF-7 Based XSS
UTF-7 based attacks can be easily stopped by forcing character encodings in the HTTP
header or within the HTML response.
Pages:
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133