I agree that the application should code defensively for these types of
attacks. However, I'm still wondering if this type of attack isn't
something that the containers could assist with as well.
IIUC the attack is basically accomplished by appending some script to a
valid URL. If this URL is processed without challenge and returned in
the response then attack is successful.
So my question (perhaps dumb question) is - "Is this a typical pattern
used by an application?" I can see where script is added to the URL on
a response but it isn't obvious to me how script might be used on a
request URL. Could a container provide some additional protection
(without breaking apps) by striping any script from incoming requests?
Joe
Paul McMahan wrote:
Jeff, I believe it is the responsibility of the application to secure
itself against XSS attacks, and not the web container's. As you know,
the web container really has no way to differentiate between legitimate
and "tainted" content in the output stream. The container could do
paranoid things such as replacing suspicous characters when it logs
request URIs. But, as you say, that type of approach could be seen as
too heavy handed.
Best wishes,
Paul
On 1/18/06, *Jeff Genender* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Where I am going at with this...is this a vulnerability caused by coding
the apps, or the containers themselves?
i.e., Will I have this problem with a perl app running on httpd? or
ASP/C# on IIS? Is this type of vulnerability a facet of responsibility
that lies on the container, or the developer?
I am just trying to assess this as a true vulnerability from a web
container perspective. I am assuming, that yes, the container could
change the < and > to lt&; and gt&;. But, I am wondering where we draw
the line and wonder if that is too heavy handed.
If the other web servers provide protection from this, then I guess its
safe to assume we should follow the pack. OTOH, I surely would not want
to take away too much responsibility of the developer to ensure they
are
properly securing their own apps, while maintaining a bit of flexibility
for them.
Jeff
Kevan Miller wrote:
>
> On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
>
>> So assuming this appears to be somewhat "examples" related, is this
>> truly a container problem, or just the jsp examples implementation?
>
> IANASE, but it seems that any vulnerabilities must be fixed in
the apps
> themselves -- certainly seems like the only course of action for G
> 1.0.1. I'm currently aware of problems with samples and the admin
console.
>
> Apps must insure they return appropriate content to clients. I
don't see
> how a container could provide general XSS protection... I'm sure
there
> are people who know much more than I on the topic...
>
> --kevan
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
