Re: CROSS SITE-SCRIPTING Protection with PHP

From: Sverre H. Huseby (shhat_private)
Date: Fri Oct 11 2002 - 14:51:16 PDT

Next message: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"

Previous message: Marvin Simkin: "Re: CROSS SITE-SCRIPTING Protection with PHP"
In reply to: Marvin Simkin: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Reply: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Marvin Simkin]

|   Filters can *help*, but there is *no* magic bullet for 100% CSS
|   protection, because CSS is so generic that it can arise anywhere a
|   web programmer makes a mistake. Consider this pseudocode:
|   
|   PasswordSubmitTarget = 
|     "https://www." + Server + ".com/login/checkpw.cgi"
|   
|   Suppose the variable Server comes from an untrusted source
|   somehow. An attacker might find some way to manipulate the
|   variable so that passwords get submitted to the attacker's
|   server. Yet the untrusted variable could contain nothing but
|   [a-z]!

That isn't Cross-site Scripting.

It's actually quite easy to protect against Cross-site Scripting: Keep
layout (markup) and content totally separate.  Right before sending
the response, the final HTML is generated _automatically_ by a piece
of code that merges the layout and the content, and HTML encodes
_every_ single part of the content in the process.  The layout is
static (or semi-static.  At least it does not contain anything that is
derived from the user, from databases, files, and so on).

I guess you get a lot for free if you use an XML DOM or something.

The problem with popular languages such as ASP, PHP and JSP is that
they encourage mix of layout and content, thus making it hard to
automatically HTML encode the content that gets sent to the browser.
It's up to the programmer to HTML encode in the right places.  And
when something is left to the programmer, we'll have bugs and holes.

We need a totally new development platform that makes it impossible to
do the typical webappsec mistakes.  I'm not sure if it's doable, but I
guess it would be possible to avoid all meta-character based exploits,
such as Cross-site Scripting, SQL Injection, Shell Command Injection
and so on.  It's just a matter of encasulating all communication with
sub-systems (including the browser) in some reasonable and limited
API.


Sverre.

-- 
shhat_private		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	http://nerdquiz.thathost.com/

Next message: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Previous message: Marvin Simkin: "Re: CROSS SITE-SCRIPTING Protection with PHP"
In reply to: Marvin Simkin: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Reply: Rob Shein: "RE: CROSS SITE-SCRIPTING Protection with PHP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 10:46:28 PDT