XSS Fragmentation Injection


There's a post on Alex's Little Corner about XSS Fragmentation Injection. The idea is that you break your script injection attack across multiple input fields. Nothing new at all, really - it's been working for ages.

However my response to this is two-fold:

If you're a developer there's really only one right solution - output filtering. If you did output filtering, all of the angle brackets, or double quotes in the world will do nothing dangerous - they'll actually display on the screen (probably not what you wanted, but what you should have wanted). The problem is that MySpace allows you to put in HTML. None of you smart developers are allowing your users to design their own look under your brand, right?

If you're an ethical hacker Alex's post is spot-on. You ought to be making sure that the combination of two dynamic outputs does not equal one bad one. And what you should be telling developers is the proper fix to it is not more input validation, but always output filtering. If your customers really want for their customers to be able to enter HTML (in which case you need to NOT be doing output filtering) they had better have a really, really, really good reason.


  1. Well, first of all I didn't know that its nothing new, since when i tried to search google to find any information on it nothing came up, anyway.....

    Of course output filtering would avoid this problem altogether, but thats a given, the post was geared to those who have to deal with XSS filters.

    And while I do say that more input validation is the fix for such a vulnerability it is a vulnerability that exists in input filters, rather than output filters, and so proposing a solution which tells devlopers that using input filters is a bad idea seems rather innapropriate since if they were reading it they would probably know when to use output filters rather than input filters. So it seems to me that saying that all XSS vulnerabilities are fixed by proper output filtering would have been redundant. Anyway the post was intended to inform not indoctrinate.

    Security should not have to come at the cost of functionality.

  2. My opologies for sounding like I was bashing - that was not the intent. You're absolutely right in that these are a result of failed input validation insofar as the site is supposed to accept markup from the end user. My argument is that when you want to accept markup from the user is really a very rare case. If you're not expecting markup from the user, this is a great example of how input validation gives an incomplete result. If you're not wanting the user to render markup on the page, then output filtering is absolutely effective.

    Again - sorry if I didn't make that clear. From a developer perspective, make sure you always do output filtering unless you mean not to, and then it doesn't matter if your input filters are deficient. If you really do intend to allow users to put in markup, make very certain that you understand that MySpace is just one example of a site that's been trying for a very long time to get it right.