Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: Dan Kaminsky <dan () doxpara com>
Date: Mon, 14 Oct 2002 11:40:16 -0700
For remotely computed data / hashes, you can't -- thus the folly of trusting MD5 hashes on critical files downloaded off of untrusted servers. If somebody can modify the tarball, they can probably modify the hash too.* Automatically providing tamper control (eg. message digests) to data that are not supposed to be tampered with.And you verify that the digest isn't changed *how*? (Hint - how do you keep your attacker from handing you a piece of data along with a digest that matches?
But for cookie-style fields that are reflected back to stateful systems, you can certainly provide tamper control using the HMAC (Hashed Message Authentication) construction. Essentially, the HMAC adds a symmetric secret to the resulting hash -- mere possession of data becomes insufficient to compute a new hash; one must possess the secret as well. So people can either pass back the valid data, or nothing at all. Elegant.
Encrypting your state and embedding it into a cookie(or URL, hideously enough) is actually a great way to trade computation for bandwidth; at the cost of a bit of bandwidth, your applications can be completely stateless. As Caezar pointed out a few days ago to me, a brilliant variant of this for systems with *huge* amounts of state is simply to pass to the clients a small HMAC'd handle to some state cached on a central state-cache, which then upon receipt of a validated handle sends to the stateless backend web request plus the relatively large amount of data the server needed to process the request. The load balanced server remains stateless, the central state cache does nothing but hash, validate, store, and forward (all trivial ops), and the wire doesn't get flooded with garbage we didn't want to keep around.
As for a global site scripting solution...hmmm, I can imagine one tag I'd like in web browsers: "After this point, no scripting allowed, DOM is dead, go away." Think about it -- it's just priv dropping.
--Dan www.doxpara.com
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)