RE: Active-content filtering (was RE: Buffer Overruns)

[fernando_montenegro () hp com]

Hello again!

You wrote:

> I VEHEMENTLY dispute that any of these scripting technologies are *legitimate*
> business-need content.  On the contrary, they are symptoms of "lazy web 
developer
> who doesn't understand the technology."  I have never, ever encountered a web 
site
> that used Javascript in a way that was actually necessary to perform the 
business
> function.

When the "business function" is to deliver content for a wide audience with a 
short attention span, while at the same time reducing costs and time-to-market, 
differentiating yourself from a slew of other competitors in a very level 
playing field (the user's screen) and dealing with incompatible 
standards/implementations, it would be foolish to ignore technology that is 
widely deployed at your customer base and helps achieve the goals described 
above.

After receiving your message I went on and visited some "high profile" sites. I 
found them using Javascript for:
- Verifying which browser the user is connecting with, and acting accordingly.
- Performing input validation.
- Playing tricks with frames (so as to avoid content stealing through framing).
- Displaying/managing "pop-up" windows with ads, questionnaires, instant polls 
or on-line help.

IMHO, now that the Web is a commercial venture, where 
glitz/interactivity/ease-of-use is at least as important as content, these are 
all valid uses.

Even some sites that didn't have scripting on their main page went on use it 
somewhere further down the road. As a matter of fact, even security-related 
sites had scripting enabled, using it for pretty much the same as the other 
sites.

Is it unfortunate that there are vulnerabilities being discovered left and 
right regarding client-side code? Yes!
Is it unfortunate that web sites are designed with less than adequate security 
architectures? Hell yes!
Can we expect the risk to be eliminated by removing client-side code? No!
What needs to be done? Risk reduction.

It looks like this is only a re-enacting of the "should we connect to the Big 
Bad Internet or not?" dillema. Just like some networks will never be connected 
(directly, that is), I am sure there'll be network admins who will just block 
out Java[script]|ActiveX and substantiate that as a valid business decision. 
That's great!

On the other hand, there'll be scores of admins who need to leave this stuff 
open because their user population requires it. In these cases, having proper 
policy and network design, along with useful tools, can help reduce the risk.

Which brings me back to my questions: are there adequate tools to deal with 
client-side code on a corporate level? Has anyone come across a proxy server 
with this kind of granularity (allowing/denying scripting per destination web 
site per user profile (time of day, username, ...))

Hope this helps.

Cheers,
Fernando
--
Fernando da Silveira Montenegro     Hewlett-Packard Brasil
HP Consulting - IT Security         Al. Rio Negro, 750 - Alphaville
mailto:fernando_montenegro () hp com   Barueri, SP - Brazil 06454-000
voice: +55-11-7297-4351             #include <disclaimer.h>