Vulnerability Development mailing list archives

Re: CROSS SITE-SCRIPTING Protection with PHP

From: "Sverre H. Huseby" <shh () thathost com>
Date: Fri, 11 Oct 2002 23:51:16 +0200

[Marvin Simkin]

|   Filters can *help*, but there is *no* magic bullet for 100% CSS
|   protection, because CSS is so generic that it can arise anywhere a
|   web programmer makes a mistake. Consider this pseudocode:
|   
|   PasswordSubmitTarget = 
|     "https://www."; + Server + ".com/login/checkpw.cgi"
|   
|   Suppose the variable Server comes from an untrusted source
|   somehow. An attacker might find some way to manipulate the
|   variable so that passwords get submitted to the attacker's
|   server. Yet the untrusted variable could contain nothing but
|   [a-z]!

That isn't Cross-site Scripting.

It's actually quite easy to protect against Cross-site Scripting: Keep
layout (markup) and content totally separate.  Right before sending
the response, the final HTML is generated _automatically_ by a piece
of code that merges the layout and the content, and HTML encodes
_every_ single part of the content in the process.  The layout is
static (or semi-static.  At least it does not contain anything that is
derived from the user, from databases, files, and so on).

I guess you get a lot for free if you use an XML DOM or something.

The problem with popular languages such as ASP, PHP and JSP is that
they encourage mix of layout and content, thus making it hard to
automatically HTML encode the content that gets sent to the browser.
It's up to the programmer to HTML encode in the right places.  And
when something is left to the programmer, we'll have bugs and holes.

We need a totally new development platform that makes it impossible to
do the typical webappsec mistakes.  I'm not sure if it's doable, but I
guess it would be possible to avoid all meta-character based exploits,
such as Cross-site Scripting, SQL Injection, Shell Command Injection
and so on.  It's just a matter of encasulating all communication with
sub-systems (including the browser) in some reasonable and limited
API.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

Current thread:

CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
    - Hashes,File protection,etc Dave Aitel (Oct 14)
    - Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
    - Re: Hashes,File protection,etc Dave Aitel (Oct 14)
    - /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
    - Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)

(Thread continues...)