Hi, Sorry, I'm having a hard time understanding what you wrote below. Do you have a specific attack vector you are concerned with or just a general concern to protect against cross site scripting?
Perhaps you could provide a specific example or link to an example we can review if it's something specific. Maybe someone else can respond if you have a specific attack in question. If it's a general concern then the answer is you make safe all user data that is reflected back to the user or any other users. Other comments below: On Fri, Mar 26, 2010 at 3:52 PM, Jon mailinglists <[email protected]>wrote: > User data for instance, say I have an application which is password > protected and I'm using the Authenticate/Authorize model coming with > Catalyst. I then protect the user data with a session cookie making > sure $c->user->address is shown and editable by the logged in user > (based on the thought that only the user can send me the cookie). > Untangling that, I think you are concerned that a user could modify their "address" and have it reflected (displayed) back to them. And if that "address" is not correctly sanitized (escaped) then there's risk of cross site scripting. Is that correct? The general answer there is, again, never reflect user-entered data without escaping. > How do I protect that from another site with another tab? YUI.Get > allows cross site requests, I haven't looked in too deep into it but > when I take the url I see the javascript requests in gmail does and > put it in a small YUI snippet will I get all my mail: > > https://mail.google.com/mail/?ui=2&ik=a_secret_token_or_my_id&view=tl&start=0&num=70&rt=h&search=drafts&zx=a_secret_token_or_my_id Lost me there. What is your concern with another tab? Browser should not allow one tab to run script in the context of another tab. >From what I understand, YUI.Get simply allows dynamically fetching content from third-party sites (just like you can with markup in your page). That's not a security risk itself, unless you are fetching from an untrusted third-party site. You would have to add the YUI.Get code in the first place to your own page so it's not really cross site scripting if it's your own script that is running. Sorry, I don't understand your last half a sentence about gmail. (Although, I've often wondered about their auth mechanism.) <...> And again, I'm no security expert and this with javascript/browser lack of security is fairly new to me so I'm not at all betting my dirty undies that I'm correct. I'd be a lot happier if I'm not since this would add a lot of hassle. I'm not a security expert, either. This may be the wrong list for security experts. But, in general, off the top of my head the standard recommendations include: - Use cookies for your auth token. Avoid more complex schemes for passing tokens around. - Use SSL if your site needs to protect private data and user confidence. - Change session ids upon authorization or switch to SSL. - Use secure cookies (only returned over SSL). - Use HttpOnly cookies (prevents cookie access in most clients). - Escape all reflected user data. - Avoid creating pages that allow users to enter (and reflect) markup. I'm sure there's others that people here can recommend. -- Bill Moseley [email protected]
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
