I'm considering implementing a reflective XSS filter similar in scope to the XSS filter in IE8, and I wanted to gauge interest from folks in the WebKit community before investing a lot of time into the project.
== Background == Cross-site scripting (XSS) is the most common web application vulnerability. There are two types of XSS vulnerabilities, reflective XSS and stored XSS. The main difference is that the attack string in a reflective XSS attack is immediately outputted (reflected back) by the web site, whereas in a stored attack, the attack string is stored in (and later retrieved from) the site's database. Many web sites contain very simple reflective XSS vulnerabilities along the lines of: <h1>Hi there <?php echo GET["name"] ?></h1> A web browser can hope to protect these sites by recognizing that a query parameter in the HTTP request was reflected back in the HTTP response and was executed as script. IE8 contains such as reflective XSS filter, which seems to be fairly effective at mitigating some classes of vulnerabilities. == Disadvantages == Implementing an XSS filter has a few disadvantages: 1) By nature, such a filter is heuristic and will have false positives. We can take steps to reduce the false positive rate, but there will be some sites that break. IE8 lets sites opt-out of the filter via HTTP headers. We can certainly honor these headers. 2) Because the filter mitigates only some classes of vulnerabilities, the filter might leave site developers with a false sense of security. Those developers might not patch certain XSS holes because they believe the browser will protect them (which might or might not be true). 3) By altering the semantics of web pages, the filter might introduce new vulnerabilities into sites. We have some specific examples of vulnerabilities introduced by the IE8 XSS filter, but these vulnerabilities tend to be much less severe than the vulnerabilities blocked by the filter. 4) The additional processing done by the filter might degrade performance. Without an implementation, I can't say what the performance impact would be, but we can aim to minimize the costs. == Conclusion == These disadvantages are balanced by the security benefit of automatically protecting users from some classes of XSS vulnerabilities. If enough members of the WebKit community are interested in an XSS filter, I can circulate a design doc for comments. Thanks, Adam _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev