Security
Cross Site Script or XSS is one of the popular methods for attacking not only to Ajax based websites but almost any other website that accepts user inputs. Even before Ajax was conceptualized, this attack was already practiced by different hackers. There was one hack that was used in 2005 wherein MySpace.com was targeted. It uses a simple JavaScript function that could be embedded in user’s website and others. Once they view the webpage, the “My Hero” link is changed to the name of the hacker. It is practically a pyramid hack since anyone who sees the profile became the host of the hack. The code was actually posted by the builder of the hack in possible reparation for what he did. It is just a simple JavaScript that could be embedded in any website. It just does not hack any information, it practically takes over every function it wants to.
Here are some practices that will prevent future attacks using XSS.
1. Filtering Input
One of the main reasons why some of the websites experience this type of attack is that it does not screen anything that comes from outside sources. You may notice that YouTube and other blogging sites limit the functions to simple HTML tags such as bold, italic and even simple changes and animations. Sometimes there are sites that allow JavaScript functions to be part of the posting. Once this is admitted, everything could be taken over by attacker. Although the attacker may need to create another function to be able to completely control the program, all they need are simple functions that could access and extract different information from users. When you are able to filter inputs, you practically won’t allow anyone to post outside the allowed tags.
2. Disabling Functions
This security measures has its pros and cons. Its most obvious advantage is that it does not allow anything outside what you have specified. You can disable any functions related to JavaScript, Flash, Java or any other functions from performing anything in your program. However its disadvantage comes from the fact that you cannot possibly run anything yourself when you are preventing it from happening. If you are just running a simple forum then there is no problem about the site disabling other functions. However, when you are talking about user generated videos or music and codes; you will be crippling your own operation.
3. Convert Incoming Functions to HTML
If you cannot live with the incoming functions, here is a simple trick: convert all incoming tags and posts to HTML. Every JavaScript functionality has an HTML counterpart so there is a great probability that each function will work but not as an intrusive script but a helpful function as it is rendered in HTML. If the attack is not cloaked and comes in as an intrusion straight up, it will not be able to function at all. Here are some websites that actually provides a code on how to convert a function to HTML:
1. http://hp.jpsband.org/
2. http://daringfireball.net/projects/markdown/
3. http://textism.com/tools/textile/
Among the three, the last one is a perfect solution to any JavaScript function. If the library could be properly installed, it will work seamlessly without any concern of attacks.
