Re: Theoretical question about vulnerabilities

[Crispin Cowan <crispin () immunix com>]

David Crocker wrote:


3. Cross-site scripting. This is a particular form of "HTML injection" and would
be caught by the proof process in a similar way to SQL injection, provided that
the specification included a notion of the generated HTML being well-formed. If
that was missing from the specification, then HTML injection would not be
caught.



XSS occurs where client A can feed input to Server B such that client C
will accept and trust the input. The "correct" specification is that
Server B should do a perfect job of allowing clients to upload content
that is damaging to other clients. I submit that this is infeasible
without perfect knowledge of the vulnerabilities of all the possible
clients. This seems to be begging the definition of "prove correct"
pretty hard.

You can do a pretty good job of preventing XSS by stripping user posts
of all "interesting" features and permitting only "basic" HTML. But this
still does not completely eliminate XSS, as you cannot a priori know
about all the possible buffer overflows & etc. of every client that will
come to visit, and "basic" HTML still allows for some freaky stuff, e.g.
very long labels.

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com