http://textslashplain.com/2015/06/22/content-blocking-unintended-consequences/
Our company uses a web firewall device called IronPort to attempt to block unwanted network traffic; it blocks access to known phish and malware domains, and, more annoyingly, domains thought to be related to gaming or more `questionable' topics (e.g. politics). Whatever. Today the IT department pushed a new rule set which blocks some requests to domains like s.tagsrvcs.com. Instead of the normal response, you instead get back a HTTP/403 blocking page of type text/html: ... Many of the websites I visit (Wired, WashingtonPost, VanityFair, etc) now hang Internet Explorer: ... Because when the target content t blocked, the server returns a HTTP/200 with a zero byte body, and thus nothing that needs to be scanned for an XSS attack. When the IronPort device blocks a response, it returns a HTTP/403 with the body HTML shown in the first screenshot. Now IE's XSS filter must run to check to see whether any of the content from the request was reflected into the blocking page. Still, the blocking page response is pretty simple... Hmmm... Let's look at the request. Oh. Yeah, I can see why turning that into a regular expression might take a bit longer than the developers of the XSS Filter ve planned for. So, a few lessons: Don't underestimate the collateral damage of blocking content. If there'ss absolutely no chance of a reflection, send an X-XSS-Protection: 0 response header. As a web developer, choose your third-party dependencies with care. Any of them could break you. When talking to pointy-haired bosses, webdevs, and designers, refer to HTTPS to help make it clear that TLS isn't mumbo jumbo -- http://www.subspacefield.org/~travis/ | if spammer then j...@subspacefield.org "Computer crime, the glamor crime of the 1970s, will become in the 1980s one of the greatest sources of preventable business loss." John M. Carroll, "Computer Security", first edition cover flap, 1977
pgpoKeiPniCtg.pgp
Description: PGP signature
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
