Cross-Site Scripting – The Final Solution

This is the last of my ideas for prevention of Cross-Site Scripting, and in a way the most radical. I was having a shower this morning, when I was struck by a great idea. What if the entire Internet was under the same domain? This radical move would prevent Cross-Site Scripting at a stroke! We could change the DNS servers of the world to only resolve a single domain, and move all other websites under it. There’s be no way to do cross-site anything at all.

So, which company or group is worthy of the honour and responsibility of watching over such a valuable community resource? Much as I’d like to suggest mozilla.org, I’m not sure we have the bandwidth. So, having seen the good job they’ve done with newsgroups, I think it’s time that we recognised that inevitability of GWorld Domination and handed over control of the entire Internet to Google, Inc. Instead of “The Internet”, we’d have “G-Internet” (catchy, huh?). It would give all websites a new subdomain of the main google.com domain – for example, www.gerv.net.g-internet.google.com. No more Cross-Site Scripting!

Putting the entire Internet under Google’s control has a number of great side benefits. For a start, it would be a lot easier to search – Google having the master copy of the web would help them to spider it much more quickly, and keep their index up to date. Then, of course, all web apps would be automatically upgraded by Google’s New Service Gnomes to use XmlHttpRequest and other modern web application technology. I can certainly see a lot of people appreciating Hotmail getting such a makeover.

But lastly and most importantly, it would be a great help in the War on Terror. (This is a clinching argument because no-one can object because they’ll get accused of being soft on terrorists, and therefore it requires no justification.) I, for one, look forward to this brave new world! Viva G-Internet!

6 thoughts on “Cross-Site Scripting – The Final Solution

  1. Sorry, but I already patented that idea.

    I’ve also patented the F12 key, mouse mats, and the clicky noise that keyboard keys can make.

  2. AFD jokes aside, this is not so far fetched – Google is already close to owning m.o :-P

  3. It’s not really an April Fool’s joke – as you say, it’s quite obvious. I just thought it was an amusing way to end the anti-XSS sequence.

  4. You seem to be missing the point. Cross site scripts are application dependent, i.e., what you see output by the application in terms of the Cross Site Script is heavily dependent upon the user interaction in the first instance. This means, alert(‘CSS’) was input by a user of the web application. Something like alert(document.cookie) was also input by a user but in this instance the script was used to make the web application force the server to produce the users session information. Something like =>”‘> would be used in instances where the application does not directly pass user input but instead attempts to filter the and / symbols. By fooling the application by escaping or ending a term with ‘>. The previous example could be used in instances where an ‘attacker’ might choose to evade particular filters by escaping in and out of html code.

    The only way to fix a Cross Site Script problem is by fixing the way web developers and system administrators and programmers develop their code. In the case of the web developers, they should really produce filters for default templates and then a seperate filter for each and every page as they are certain to be unique.

  5. You seem to be missing the point. Cross site scripts are application dependent, i.e., what you see output by the application in terms of the Cross Site Script is heavily dependent upon the user interaction in the first instance. This means, %3Cscript%3Ealert(CSS’)%3C/script%3E was input by a user of the web application. Something like %3Cscript%3Ealert(document.cookie)%3C/script%3E was also input by a user but in this instance the script was used to make the web application force the server to produce the users session information. Something like =%3E%22’%3E%3Cimg%20src=javascript:alert("CSS&#x20")%3E would be used in instances where the application does not directly pass user input but instead attempts to filter the and / symbols. By fooling the application by escaping or ending a term with ‘>. The previous example could be used in instances where an ‘attacker’ might choose to evade particular filters by escaping in and out of html code.

    The only way to fix a Cross Site Script problem is by fixing the way web developers and system administrators and programmers develop their code. In the case of the web developers, they should really produce filters for default templates and then a seperate filter for each and every page as they are certain to be unique.