The only fault I could possibly find in the recently released CIAC Technical Bulletin, CIACTech08-003: Understanding Cross-Site Scripting (XSS), is that it should have been released a year ago or more. ;-)
But rather than nitpick, I'd like to applaud.
This is a fine effort, with a number of good resources cited.
You'll find content on the types of cross-site scripting, including DOM, non-persistent, persistent, and CSRF. Additionally, you'll note methods of protection and reference links to content on Htmlspecialchars, Htmlentities, and Giorgio Maone's NoScript.
This is a great starting point for enlightening vendors, developers, and IT folk who may not be as up to speed as you might like on the concerns caused by XSS vulnerabilities.
Given the fact that stories continue to surface on the shortcomings of major security vendors, and their utter lack of diligence with regard to XSS, as well as efforts to further enlighten the masses, this is a valiant effort.
Well done, CIAC.
del.icio.us | digg
But rather than nitpick, I'd like to applaud.
This is a fine effort, with a number of good resources cited.
You'll find content on the types of cross-site scripting, including DOM, non-persistent, persistent, and CSRF. Additionally, you'll note methods of protection and reference links to content on Htmlspecialchars, Htmlentities, and Giorgio Maone's NoScript.
This is a great starting point for enlightening vendors, developers, and IT folk who may not be as up to speed as you might like on the concerns caused by XSS vulnerabilities.
Given the fact that stories continue to surface on the shortcomings of major security vendors, and their utter lack of diligence with regard to XSS, as well as efforts to further enlighten the masses, this is a valiant effort.
Well done, CIAC.
del.icio.us | digg
