Cry or Smile? You Decide…


On Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt.



When a customers [sic, you need to learn some simple grammar, Curphey!] development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.


When Mark emailed me I didn’t know whether I should laugh or cry. Seriously, I didn’t know. I was blown away. With all the knowledge out there about security bugs, someone thought XSS was a valid feature.


Does this mean that all the good work done by so many people for so many years is just wasted effort?

Comments (9)

  1. penyaskito says:

    OMG!!! I’m going now to include that new feature in my websites… because is 2.0, don’t?

  2. CJ says:

    I wouldn’t go so far as to say the efforts have been wasted.  Importantly, awareness and training efforts need to be maintained – even for the "old" bugs.

    New developers come into the ranks all the time.  Just because research matures into optional product doesn’t mean that these new developers are aware of the features or that they will understand them.  Security against "no brainer" items should not be optional.  Reducing security against "no brainer" items can be optional.

    The second tenet of SD3+C will help this if you force acceptance of insecure code in the compiler, runtime engine, and/or IDE.  Tell them it’s insecure before it’s allowed to execute/compile and give them an option to accept the risk.  Same principle as what was done with UAC in Vista.

  3. Alun Jones says:

    This is the problem when security is less a mindset and more of a check-list to satisfy.

    "No XSS?"

    "Hell, boss, I don’t know what that means."

    "Well, then obviously we don’t use it. Check."

    Actually Cross-Site Scripting is a very confusing term for what XSS is. It’s really HTML Injection. By putting in HTML here, I can get it to activate over here. The only reason it’s got anything to do with scripting is because you can most quickly exploit it by pasting an HTML <script> tag.

  4. CGomez says:

    Many corporations make every excuse in the book to avoid having to do any work.  If you show them a security bug, they’ll say they want a proof of concept or proof of an actual breach or will believe no one is interested in hacking them.

    It’s easier than gaining the expertise or doing anything.

  5. Maybe understandable… "XSS" sounds like the XML version of "CSS", doesn’t it?  (whatever that means…:-)

    But I suspect that the VAST majority of developers out there think of security as someone else’s worry — "it’s something Microsoft has to worry about, not me."

  6. acd says:

    Well it’s really the faulty name, no, really.

    You see, three and four letter acronyms are the thing that are considered "features". Today it’s HTML, tomorrow it’s CSS, then XML, XSL, and then, you send them "XSS" — well they certainly don’t need that one more too! And then, those nasty scripting, always new ways to script something, new languages etc.

    Morale:

    First, don’t use acronyms!

    Second, use the best possible names. If that thing was referred to as "cross site attacks" there would be no misunderstanding.

    Also imagine that the library was called "cross site attacks blocker".

  7. bob says:

    I have a couple of questions regarding the AntiXSS library. If it is a best practice to use this:

    1. Why isn’t this part of the standard .Net framework?

    2. Why doesn’t fxCop check for it, and recommend its use?

    [this blog entry was the first I had heard of it]

  8. CoqBlog says:

    Je viens de lire un post qui fait peur sur le blog de Michael Howard , où il parle d’une discussion qu’a

  9. Jeno says:

    I am just supprised how ignorant some people are. X stands for letter X not cross.  They obviously lack certain inteligence.

Skip to main content