Re: Cross-site Scripting prevention with Apache::TaintRequest
The most common way to abuse is through cookie hijacking, If an attacker sends an email to a user's webmail account, that is vulnerable to cross side scripting and the users opens the message, the attacker would get the user's session cookies and read the user's email. There are several attacks already reported in bugtraq, go check http://www.securityfocus.com/ JP On Thu, 2002-01-24 at 07:50, Arnold van Kampen wrote: Does anybody have an example(s) of how this kind of abuse is actually working? All the time I have just been lucky then I guess. Arnold van Kampen On Tue, 22 Jan 2002, Perrin Harkins wrote: Yes and no. XSS attacks are possible on old browsers, when the charset is not set (something which is often the case with modperl apps) and when the HTML-escaping bit does not match what certain browsers accept as markup. Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? - Perrin -- João Pedro Gonçalves 'I have never let my schooling interfere with my education.' - Mark Twain
Re: Cross-site Scripting prevention with Apache::TaintRequest
Does anybody have an example(s) of how this kind of abuse is actually working? All the time I have just been lucky then I guess. Arnold van Kampen On Tue, 22 Jan 2002, Perrin Harkins wrote: Yes and no. XSS attacks are possible on old browsers, when the charset is not set (something which is often the case with modperl apps) and when the HTML-escaping bit does not match what certain browsers accept as markup. Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? - Perrin
Cross-site Scripting prevention with Apache::TaintRequest
Hi, I thought it might be interesting to start a thread on cross-site scripting attacks, since it seems that many people are not aware of the risks involved. Has anyone noticed attacks on their applications? Do you religiously check all input you get from form-submissions? What techniques do you use to insure that your application is not vulnerable? One technique that I've used is 'Tainting' input data (with PerlTaintCheck) and using a subclass of the Apache module to insure that tainted data is html-escaped. As part of the CPANification of the code in the mod_perl Developer's cookbook, I present Apache::TaintRequest, a module that helps prevent cross-site scripting attacks by automatically html-escaping 'tainted' text sent to a web browser.. Get it at http://www.modperlcookbook.org/code.html I'd be interested in hearing how others have dealt with the problem, suggestions on how this module could be used further are most welcome. -- Paul Lindner[EMAIL PROTECTED] | | | | | | | | | | mod_perl Developer's Cookbook http://www.modperlcookbook.org Human Rights Declaration http://www.unhchr.ch/udhr/index.htm
Re: Cross-site Scripting prevention with Apache::TaintRequest
What techniques do you use to insure that your application is not vulnerable? Usually I write application so that they do some processing, package up a chunk of data, and hand it to a template. With this structure, all you need to do is HTML-escape the data structure before handing it off, or use a templating tool that defaults to HTML-escaping all printed variables. If you're doing this, nothing the user sends in will pose a CSS threat. - Perrin
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tuesday 22 January 2002 18:48, Perrin Harkins wrote: What techniques do you use to insure that your application is not vulnerable? Usually I write application so that they do some processing, package up a chunk of data, and hand it to a template. With this structure, all you need to do is HTML-escape the data structure before handing it off, or use a templating tool that defaults to HTML-escaping all printed variables. If you're doing this, nothing the user sends in will pose a CSS threat. Yes and no. XSS attacks are possible on old browsers, when the charset is not set (something which is often the case with modperl apps) and when the HTML-escaping bit does not match what certain browsers accept as markup. See http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-03/msg00750.html for a discussion of this. I think CGI.pm is safe now, and most modern browsers appear to have fixed that behaviour, but quite a few still remain in circulation and I'm not sure that all templating systems are handling the escaping properly. -- ___ Robin Berjon [EMAIL PROTECTED] -- CTO k n o w s c a p e : // venture knowledge agency www.knowscape.com --- Critic, n.: A person who boasts himself hard to please because nobody tries to please him.
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tue, Jan 22, 2002 at 09:25:15AM -0800, Paul Lindner wrote:
Hi,
I thought it might be interesting to start a thread on cross-site
scripting attacks, since it seems that many people are not aware of
the risks involved. Has anyone noticed attacks on their applications?
Do you religiously check all input you get from form-submissions?
What techniques do you use to insure that your application is not
vulnerable?
I've been pondering a lot about this lately, since I find creating
form validation routines very repetitive. So what I've come up with
so far is (not yet finished):
my $fields = {
id = ['\d+', \validation_sub ],
text = ['(?:\w\s)+']
};
And I feed this along with the request or cgi object to a function
that checks each key for first the simple regexp to see if it's worth
trying the real validation function.
My little system for doing this isn't
All the variables that are passed through form fields into other pages
goes through HTML::Entities' encode_entites function right before it's
inserted in a template.
--
Thomas Eibner http://thomas.eibner.dk/ DnsZone http://dnszone.org/
mod_pointer http://stderr.net/mod_pointer
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tue, 22 Jan 2002 19:01:48 +0100
Thomas Eibner [EMAIL PROTECTED] wrote:
my $fields = {
id = ['\d+', \validation_sub ],
text = ['(?:\w\s)+']
};
And I feed this along with the request or cgi object to a function
that checks each key for first the simple regexp to see if it's worth
trying the real validation function.
see also CGI::Untaint by Tony Bowden, on CPAN.
--
Tatsuhiko Miyagawa [EMAIL PROTECTED]
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tue, 22 Jan 2002 09:25:15 -0800 Paul Lindner [EMAIL PROTECTED] wrote: As part of the CPANification of the code in the mod_perl Developer's cookbook, I present Apache::TaintRequest, a module that helps prevent cross-site scripting attacks by automatically html-escaping 'tainted' text sent to a web browser.. Get it at http://www.modperlcookbook.org/code.html Techniques I use depends on HTML::Template's TMPL_VAR escape=HTML stuff. But your idea to detect output from Untainted data for protection against CSS, is very neat. Nice. -- Tatsuhiko Miyagawa [EMAIL PROTECTED]
Re: Cross-site Scripting prevention with Apache::TaintRequest
Yes and no. XSS attacks are possible on old browsers, when the charset is not set (something which is often the case with modperl apps) and when the HTML-escaping bit does not match what certain browsers accept as markup. Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? - Perrin
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tuesday 22 January 2002 19:04, Perrin Harkins wrote: Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? A quick look (I could be wrong) at HTML::Entities seems to imply that it should be safe, as it uses numeric encoding for characters that it doesn't recognize. I don't know about Apache::Util. -- ___ Robin Berjon [EMAIL PROTECTED] -- CTO k n o w s c a p e : // venture knowledge agency www.knowscape.com --- I don't suffer from insanity. I enjoy every minute of it.
Re: Cross-site Scripting prevention with Apache::TaintRequest
On Tue, Jan 22, 2002 at 07:11:28PM +0100, Robin Berjon wrote: On Tuesday 22 January 2002 19:04, Perrin Harkins wrote: Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? A quick look (I could be wrong) at HTML::Entities seems to imply that it should be safe, as it uses numeric encoding for characters that it doesn't recognize. I don't know about Apache::Util. BTW, if you don't html-escape and just search for tags you should make sure to HTML::Entities::decode() the text before processing it. I've seen cases where people disguised scripting code with numeric entities.. jav...;script etc... -- Paul Lindner[EMAIL PROTECTED] | | | | | | | | | | mod_perl Developer's Cookbook http://www.modperlcookbook.org Human Rights Declaration http://www.unhchr.ch/udhr/index.htm
