Bypass Input Filters
A great way to stop malicious JavaScript is to ensure it cannot be inserted into a web
application. Input filtering is probably the first line of defense used by most organizations,
but it should not be used as the only line of defense. JavaScript is used on most web
applications; however, there is often little need for an end user to insert real scripts into
a web page. If HTML code is allowed in the application for legitimate purposes, allowing
a user a blank canvas for JavaScript is probably a bad idea, as it opens the door for
malicious attacks. Writing good web applications is the best way to prevent malicious
JavaScript, but ensuring input filters cannot be bypassed with powerful functions, such
as a XMLHTTPRequest, is also necessary. As developers known well, it is difficult to
restrict inputs that are required to make the application work well; therefore, filtering
out items that are known as bad or simply not required is one of many steps that can stop
malicious JavaScript.
Nowadays, input filters are gospel for modern web applications. Every security
professional emphasizes this over and over again during security presentations for web
application security.
Pages:
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204