[Marvin Simkin] | Filters can *help*, but there is *no* magic bullet for 100% CSS | protection, because CSS is so generic that it can arise anywhere a | web programmer makes a mistake. Consider this pseudocode: | | PasswordSubmitTarget = | "https://www." + Server + ".com/login/checkpw.cgi" | | Suppose the variable Server comes from an untrusted source | somehow. An attacker might find some way to manipulate the | variable so that passwords get submitted to the attacker's | server. Yet the untrusted variable could contain nothing but | [a-z]! That isn't Cross-site Scripting. It's actually quite easy to protect against Cross-site Scripting: Keep layout (markup) and content totally separate. Right before sending the response, the final HTML is generated _automatically_ by a piece of code that merges the layout and the content, and HTML encodes _every_ single part of the content in the process. The layout is static (or semi-static. At least it does not contain anything that is derived from the user, from databases, files, and so on). I guess you get a lot for free if you use an XML DOM or something. The problem with popular languages such as ASP, PHP and JSP is that they encourage mix of layout and content, thus making it hard to automatically HTML encode the content that gets sent to the browser. It's up to the programmer to HTML encode in the right places. And when something is left to the programmer, we'll have bugs and holes. We need a totally new development platform that makes it impossible to do the typical webappsec mistakes. I'm not sure if it's doable, but I guess it would be possible to avoid all meta-character based exploits, such as Cross-site Scripting, SQL Injection, Shell Command Injection and so on. It's just a matter of encasulating all communication with sub-systems (including the browser) in some reasonable and limited API. Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 10:46:28 PDT