Vulnerability Development mailing list archives

Re: CROSS SITE-SCRIPTING Protection with PHP

From: Dan Kaminsky <dan () doxpara com>
Date: Mon, 14 Oct 2002 11:40:16 -0700

 * Automatically providing tamper control (eg. message digests) to
   data that are not supposed to be tampered with.


And you verify that the digest isn't changed *how*?  (Hint - how do you
keep your attacker from handing you a piece of data along with a digest that
matches?

For remotely computed data / hashes, you can't -- thus the folly oftrusting MD5 hashes on critical files downloaded off of untrustedservers. If somebody can modify the tarball, they can probably modifythe hash too.

But for cookie-style fields that are reflected back to stateful systems,you can certainly provide tamper control using the HMAC (Hashed MessageAuthentication) construction. Essentially, the HMAC adds a symmetricsecret to the resulting hash -- mere possession of data becomesinsufficient to compute a new hash; one must possess the secret as well.So people can either pass back the valid data, or nothing at all. Elegant.

Encrypting your state and embedding it into a cookie(or URL, hideouslyenough) is actually a great way to trade computation for bandwidth; atthe cost of a bit of bandwidth, your applications can be completelystateless. As Caezar pointed out a few days ago to me, a brilliantvariant of this for systems with *huge* amounts of state is simply topass to the clients a small HMAC'd handle to some state cached on acentral state-cache, which then upon receipt of a validated handle sendsto the stateless backend web request plus the relatively large amount ofdata the server needed to process the request. The load balanced serverremains stateless, the central state cache does nothing but hash,validate, store, and forward (all trivial ops), and the wire doesn't getflooded with garbage we didn't want to keep around.

As for a global site scripting solution...hmmm, I can imagine one tagI'd like in web browsers: "After this point, no scripting allowed, DOMis dead, go away." Think about it -- it's just priv dropping.


--Dan
www.doxpara.com

Current thread:

CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
    - Hashes,File protection,etc Dave Aitel (Oct 14)
    - Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
    - Re: Hashes,File protection,etc Dave Aitel (Oct 14)
    - /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
    - RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)

(Thread continues...)