[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "Jeff Williams" <jeff.williams@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Fri, 5 Jan 2007 16:53:24 -0500

------_=_NextPart_001_01C73113.ECDF5B3A
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

> OK, so my understanding is that we assume IP-binding, and then compare
a
> PRNG approach (one-time token) to an encryption approach. I think
we're
> making progress on our mutual understanding ;-)=20

=20

I considered doing the PRNG approach as it is a few less lines of code.
But in a load-balanced environment, it would require sharing sessions
across multiple hosts in a way that the encrypted token does not.  That
makes it way more complex than the encryption approach.

=20

> Yes, but I'm not sure that what the encryption approach is THAT
complex.
> Two implementations for the encryption approach were provided already
> (J2EE - http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
<http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>  and
> .NET - http://www.techplay.net/), none seem to contain complex code by
> my standards. And the "payment" at the server side for one time token
-

> i.e. maintaining a list of generated tokens and ticking its entries
when
> valid tokens are received is pretty severe payment. Think
load-balanced
> systems, fail over, RAM considerations, ...

=20

I would just put the token in each user's session, so the container
really manages the list. But still I think the encryption approach is
more generally useful.

=20

--Jeff

=20


------_=_NextPart_001_01C73113.ECDF5B3A
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
span.lg1
	{color:#888888;}
span.ll1
	{color:#80AAF8;
	text-decoration:underline;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:9.5pt;
font-family:Arial'>&gt; OK, so my understanding is that we assume =
IP-binding,
and then compare a<br>
&gt; PRNG approach (one-time token) to an encryption approach. I think =
we're<br>
&gt; making progress on our mutual understanding ;-)</span></font><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I considered doing the PRNG approach as it is a few =
less
lines of code. But in a load-balanced environment, it would require =
sharing
sessions across multiple hosts in a way that the encrypted token does =
not.&nbsp;
That makes it way more complex than the encryption =
approach.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:9.5pt;
font-family:Arial'>&gt; Yes, but I'm not sure that what the encryption =
approach
is THAT complex.<br>
&gt; Two implementations for the encryption approach were provided =
already<br>
&gt; (J2EE - <a
href=3D"http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE";
target=3D"_blank">http://www.owasp.org/index.php<wbr>/PDF_Attack_Filter_f=
or_Java_EE</a>
and<br>
&gt; .NET - <a href=3D"http://www.techplay.net/"; =
target=3D"_blank">http://www.techplay.net/</a>),
none seem to contain complex code by<br>
&gt; my standards. And the &quot;payment&quot; at the server side for =
one time
token -</span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:9.5pt;
font-family:Arial'>&gt; i.e. maintaining a list of generated tokens and =
ticking
its entries when<br>
&gt; valid tokens are received is pretty severe payment. Think =
load-balanced<br>
&gt; systems, fail over, RAM considerations, ...</span></font><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I would just put the token in each user&#8217;s =
session, so the
container really manages the list. But still I think the encryption =
approach is
more generally useful.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>--Jeff</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

<!--[object_id=3D#aspectsecurity.com#]--></html>

------_=_NextPart_001_01C73113.ECDF5B3A--

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: [WEB SECURITY] Server Obligation for Client Vulnerabilities (was: Universal XSS with PDF files: highly dangerous)
Previous by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site