Search
|
VHS : Search |
|
|
VHS : Search |
It's almost cruel of us to post about the Schöpfer Oculus, a 250-foot luxury yacht inspired by an oceanic fish.
With room for 12 people to comfortably cruise at 25 knots, the rear of the Oculus remains open like a gigantic jaw that's eating the passengers alive in luxury. And what appears to be a cleverly-placed window fills in an apt spot for an eye.
Inside, the ceilings reach an impressive 12-feet (hey, those are higher than where I live every day!) while the entire boat is still described as a "low rider," featuring retractable panels that protect the decks from swells. Wait, why are we even bothering to explain all of this to you? You can't afford it. [Schopfer Yachts via DVICE]
If you want to protect yourself from a XSS attack, what characters should you escape? I've seen 2 recommendations:
I've seen the second recommended more and more recently. Which is best?
It's a known security tenet that whitelisting is safer than blacklisting. If you're just escaping ', ", <, > and & then you're blacklisting, which isn't as safe as whitelisting.
There are some practical examples of how this can play out -
(I'm using $ to represent the injection point. This would probably crop up in a template something like this:
)
If all the escape() function does is to escape ', ", <, > and &, then what if the user entered a data: URL? You could end up with the following output:
test
Which in case you can't do base64 in your head is equivalent to this:
test
Clearly this is bad - we've let a user XSS us even though we are filtering for XSS. There are many more examples that are similar.
The bad news is that more filtering does not help. If we enhance our escape function to encode every non-alpha, then we would get the following output:
test
Here's the bad news - the above works. (Look: test (if this script gets into your RSS aggregator, then you need a new RSS aggregator.))
Adding the extra filtering has had the following effect:
The solution is to understand about insertion points.
The following insertion points, are ones that I believe are safe if ', ", <, > and & are escaped:
$ (Where div could be p, h*, li, etc - things expecting textual content)I think it's likely that virtually any other insertion point is likely to be dangerous. Some examples:
$> (there are countless events we could latch into, including several non-standard, hard to find ones)
... (JavaScript pops up in CSS in many places like width:expression(script_here))
... (The example we used above)
- etc.
The key it to understand the environment into which we are allowing injection. The trend for separating content, style and action into separate files is good because it more clearly defines the environment, but that doesn't stop HTML from being able to embed CSS.
I once saw some code that was JSP containing Java containing HTML containing CSS and JavaScript containing SQL all on one line. An environment so confused that it contained it's very own security hole built right in.
Filtering in DWR
DWR version 3 is nearly cooked, and our escaping functions use the simpler escaping system of just escaping ', ", <, > and &. If anyone knows of any attack that a broader filtering system would protect people from, then please comment.
If you want to protect yourself from a XSS attack, what characters should you escape? I've seen 2 recommendations:
- ', ", <, > and & should be converted to ', ", <, >, &
- Convert anything that isn't ASCII alphanumeric to &#xx;
I've seen the second recommended more and more recently. Which is best?
The argument for escaping all non-ASCII alphanumeric
It's a known security tenet that whitelisting is safer than blacklisting. If you're just escaping ', ", <, > and & then you're blacklisting, which isn't as safe as whitelisting.
There are some practical examples of how this can play out -
(I'm using $ to represent the injection point. This would probably crop up in a template something like this:
)
If all the escape() function does is to escape ', ", <, > and &, then what if the user entered a data: URL? You could end up with the following output:
test
Which in case you can't do base64 in your head is equivalent to this:
test
Clearly this is bad - we've let a user XSS us even though we are filtering for XSS. There are many more examples that are similar.
The argument for escaping only ', ", <, > and &
The bad news is that more filtering does not help. If we enhance our escape function to encode every non-alpha, then we would get the following output:
test
Here's the bad news - the above works. (Look: test (if this script gets into your RSS aggregator, then you need a new RSS aggregator.))
Adding the extra filtering has had the following effect:
- It's hidden the hole, so now we're less likely to notice it, and fall in.
- It's wasted bandwidth
So how do we keep ourselves clear of XSS attacks?
The solution is to understand about insertion points.
The following insertion points, are ones that I believe are safe if ', ", <, > and & are escaped:
$ (Where div could be p, h*, li, etc - things expecting textual content)
I think it's likely that virtually any other insertion point is likely to be dangerous. Some examples:
$> (there are countless events we could latch into, including several non-standard, hard to find ones)
... (JavaScript pops up in CSS in many places like width:expression(script_here))
... (The example we used above)- etc.
The key it to understand the environment into which we are allowing injection. The trend for separating content, style and action into separate files is good because it more clearly defines the environment, but that doesn't stop HTML from being able to embed CSS.
I once saw some code that was JSP containing Java containing HTML containing CSS and JavaScript containing SQL all on one line. An environment so confused that it contained it's very own security hole built right in.
Filtering in DWR
DWR version 3 is nearly cooked, and our escaping functions use the simpler escaping system of just escaping ', ", <, > and &. If anyone knows of any attack that a broader filtering system would protect people from, then please comment.
Search