Common Misconceptions in Web Application Security, Part 1

During the past few months, I have noticed a big misconception when it comes to Cross-site scripting. There is a myth floating around that using the POST method instead of the GET method will eliminate Cross-site scripting or make the vulnerability insignificant. Unfortunately, this just masks the problem, leaving the vulnerability there. All that is required is just a different method of exploitation.

A Cross-site scripting attack that is GET based, normally involves an individual following a URL sent to them with script injected in it. To exploit a POST based Cross-site scripting attack, it usually requires one extra step. Instead of sending a URL to the user that has Cross-site scripting in the web application, the attacker can send a URL to a page the attacker controls with a form in it. By using the BODY tag with the onload attribute, viewing the page can cause your browser to auto-submit with a POST method to the vulnerable web application injecting script. The script that gets injected can do everything a GET based Cross-site scripting attack can do but the URL in the address bar doesn’t have any parameters with script in them. 

To truly fix Cross-site scripting that is POST or GET based, it requires encoding of characters with a technique called White listing. This technique says that when filtering characters, you need to encode anything that you weren’t explicitly looking for. If you take the alternative approach to only encode dangerous characters like > or < then you leave possibilities for different permutations that were unexpected.