Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Preventing Cross-site Scripting Attacks

by grep (Monsignor)
on Feb 22, 2002 at 17:40 UTC ( #146949=perlmeditation: print w/ replies, xml ) Need Help??

A new article on www.perl.com talks about the new mod_perl module Apache::TaintRequest and how to use it against cross-site scripting attacks.

What is Cross Site Scripting?
From the article:

Instead of targeting holes in your server's operating system or web server software, the attack works directly against the users of your site. It does this by tricking a user into submitting web scripting code (JavaScript, Jscript, etc.) to a dynamic form on the targeted web site. If the web site does not check for this scripting code it may pass it verbatim back to the user's browser where it can cause all kinds of damage.



grep
grep> rm -f /bin/laden

Comment on Preventing Cross-site Scripting Attacks
Re: Preventing Cross-site Scripting Attacks
by cjf (Parson) on Feb 22, 2002 at 23:42 UTC
    Good article, it addresses a problem that is overlooked way too often. From the article...
    The key to solving cross-site scripting attacks is to never, ever trust data that comes from the web browser. Any input data should be considered guilty unless proven innocent.

    Couldn't have said it better myself. For more information on the subject consult Essential CGI Security Practices :)

Re: Preventing Cross-site Scripting Attacks
by converter (Priest) on Feb 23, 2002 at 00:15 UTC

    I enjoyed the article, but I wish it would have addressed sites (like this one) that allow users to input markup.

    Is parsing out script tag sections enough to close the hole, or are there other mechanisms that have to be addressed?

      I was pointing out the dangers of user-permitted HTML markup many years ago when I talked about how I was including Barney the Dinosaur into guestbooks on my home page.

      I don't think there's a completely secure solution. tilly wrote a fairly nice strongbox solution that permits very carefully a subset of HTML, but it's more in the "only permitted things allowed" realm than the "look for bad things and prevent them" realm. Given the risk, I'd say this is the right approach.

      -- Randal L. Schwartz, Perl hacker


      update: Thanks to mdillon for the link for tilly's node.
      Reminds me of a community I used to be a part of, when I played the online game Utopia. Over at www.avidgamers.com they provide basic types of communities for alliances and stuff like that, in different games.

      Anyhow, those sites do clean out certain markup in a pretty good way - the administrator can choose which tags are allowed - scripting is never, and from what I can tell, the engine that strips such is pretty good.

      But they had allowed the <table> and the <div> tags. So me and a friend started impersonating other friends in the forums, mostly for fun, but also to enlighten this problem. We basically did this by creating posts that contained closing </td></tr></table> that were the same as the forums, and then built up a new post "after ours" within our own post, having those guys saying really funny stuff. It took almost two days before the HTML illiterates (no wrong with that, mind you) figured out what the *** happened.

      With <div>, we created signature boxes that hung under the menu - something like "This thread contains a post by XXX!" with lots of colors and stuff.

      Most people laughed their heads off while we were rummaging around like that, but some did take offense - none that we impersonated though. And it was really funny to see people saying " I did not say that!" when everybody could "see" they did.

      Then, of course, we told them which tags to turn off, and no more problems.

      Personally, I think that scripts should be filterd out in places like these. I know that I can, and I have, turned them off in the browser for this place, but all it really takes is someone malicious posting, and someone not so careful browsing. I didn't have it turned off in the beginning, and for all I know, someone may already have my password. And javascript in general is not the problem, just when you can post whatever and on a site with login cookies or similar.


      You have moved into a dark place.
      It is pitch black. You are likely to be eaten by a grue.
        Although I'm fairly new to PerlMonks I HAVE noticed that several of the more seasoned monks have warnings about having Javascript enabled but none really explains what the possible dangers/exploits are that can arise from surfing w/JS-enabled. Have any monks written a node explaining the problem in detail? *Click "Preferences"* JavaScript off... Paranoia on...

        MarkMoon

      are there other mechanisms that have to be addressed

      Of course you can have event attributes such as onClick in certain HTML tags which could have malicious script in. On the whole the best approach as merlyn points out is to only allow a safe subset of HTML rather than attempting to remove potentially bad things.

      /J\

Re: Preventing Cross-site Scripting Attacks
by vladb (Vicar) on Feb 24, 2002 at 05:02 UTC
    I was certainly delighted to read the article. Often, I find a lot of interesting stuff at www.securityfocus.com.

    It surprises how easy it is to fool HTML aware sites that lack proper protection/filtering mechanisms. I'm wondering, also, if perlmonks.com is 100% secure from those types of attacks. Let me test it right here by including <LINK REL=STYLESHEET TYPE="text/javascript" SRC=""> tag inside my post:

    <LINK REL=STYLESHEET TYPE="text/javascript" SRC="">

    I'm sure however this wouldn't work, since these posts are filtered and anything other than a set of accepted tags (such as readmore and common bracketed tags) is tossed away.

    "There is no system but GNU, and Linux is one of its kernels." -- Confession of Faith

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://146949]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (4)
As of 2014-09-20 23:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (165 votes), past polls