[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Cross Site Scripting

From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
Subject: RE: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 19:25:52 +0000

> Most of the web these days is made up of things like blogs
> and social networking sites, where they have to accept
> freeform text. You can't whitelist that.

I think you are confusing the concept of whitelist input validation with an implementation of input whitelist input valdation (i.e. the fallacy that whitelisting means using a regex).

You can whitelist the input like blog comments or Cascading Style sheets, or HTML You just cannot whitelist validate rich content like that with a flat regex. You do it with some kind of parser (which, technically, is what a RegEx is. Computer Science Confucius say: It's all deterministic finite automata in the end!)

Take RSS as an example. Robert Auger wrote an excellent piece about validation RSS, but it can be generalized to validate any rich input. You first parse it for syntax (i.e. is this a valid XML document), then you whitelist validate the tags inside the document. (See a tag other than <item>, etc, junk it. See <link> and its not under <item>? Junk it). You also whitelist validate the attributes on those approved tags. The only allowed attribute for the <rss> tag is version. Anything else, junk it. You also whitelist input validate the contents of the structure. The contents of an <item>? It must be an absolute URL and its protocol must be http or https.

We cover whitelist input validation, specifically validating rich content like RSS feeds, SOAP, JSON, HTML, and JavaScript widgets in our Ajax Security book. Trust me, its doable.

Billy Hoffman
--
Lead Researcher, HP Security Labs
HP Software
Phone: 678-781-4845

-----Original Message-----
From: Jeff Robertson [mailto:jeff.robertson@xxxxxxxxx]
Sent: Thursday, September 20, 2007 1:55 PM
To: Hoffman, Billy
Subject: Re: [WEB SECURITY] Cross Site Scripting

On 9/20/07, Hoffman, Billy <billy.hoffman@xxxxxx> wrote:
>
>
> Inputs in web application should be validated using white list input
> validation. For example, if an input is a US ZIP code, your web application
> should only accept inputs that are 5 digits long (or perhaps, 5 digits
> followed by a dash, followed by 4 digits)
>

Any nontrivial application will contain places where the common XSS
attacks will pass the whitelist. That approach really only works on a
certain class of application, typified by something like a shopping
cart where the only thing the user can enter is how many of what item
they want, credit card number, address, etc.

Note that I'm NOT defending blacklisting.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: Re: [WEB SECURITY] Cross Site Scripting
Next by Date: Re: [WEB SECURITY] Cross Site Scripting
Previous by thread: RE: [WEB SECURITY] Cross Site Scripting
Next by thread: RE: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site