Dependent Origination

XSS and fixes

Posted on: June 21, 2011

We got a report from a guy who lives in Tokyo on a page of ours that is vulnerable to XSS attacks. Seems he sent multiple emails to different companies on the topic. It is a sure way of securing interviews. I hope he run a program to find the holes, instead of finding them by hand 🙂

Anyway, despite my two years in a security infrastructure team, I actually got more education on XSS this time — it is a very common security flaw and was taken advantaged of fairly early in the history of my ex-employer. So the issue was fixed well ahead of my time and I never really paid any attention to how they solved it.

Now I got the chance to read about it and figure out the best way to make sure it never happens. Turns out it is very hard to systematically get rid of it, barring a full fledged parser of the code base. The root problem is never display anything the user types in. In the same line of thought you cannot display anything directly from the database too. So it is a problem of proper escaping. Since display happens in different contexts, such as html and javascript being the most likely contexts, you cannot pre-escape the user inputs. The guard has to be at the display time. This can be helped by a naming convention — add raw or escaped to the end of your variable names so you can catch them on a glimpse in a display context. Another help is to make sure the default is safe — just html-escape everything from the apache server — this way in the worst case we display a bunch of wrong characters but never closed/opened contexts unintentionally.

this is the wiki article on cross-site scripting. here is a page that describes the common guards of dealing with it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

June 2011
M T W T F S S
« May   Jul »
 12345
6789101112
13141516171819
20212223242526
27282930  

Twitter

  • is reflecting on the past three years and reading the article on divided self aptly showing up at the top of my tweeter feed. 2 months ago
  • is having a nice feeling of connecting dots all over the place. they are now illuminating the same point. 3 months ago
  • Style Transfer is fun! TensorFlow rocks! #WTM17 https://t.co/zYP0IFIDfp 5 months ago
  • couldn't get over the jetlag, sleeping during the day from seven to four, for days. 7 months ago
  • is emptying trash and happily discovering the available disk space now ranks at 100G+. 8 months ago

Flickr Photos

%d bloggers like this: