Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: "Sverre H. Huseby" <shh () thathost com>
Date: Fri, 11 Oct 2002 23:51:16 +0200
[Marvin Simkin] | Filters can *help*, but there is *no* magic bullet for 100% CSS | protection, because CSS is so generic that it can arise anywhere a | web programmer makes a mistake. Consider this pseudocode: | | PasswordSubmitTarget = | "https://www." + Server + ".com/login/checkpw.cgi" | | Suppose the variable Server comes from an untrusted source | somehow. An attacker might find some way to manipulate the | variable so that passwords get submitted to the attacker's | server. Yet the untrusted variable could contain nothing but | [a-z]! That isn't Cross-site Scripting. It's actually quite easy to protect against Cross-site Scripting: Keep layout (markup) and content totally separate. Right before sending the response, the final HTML is generated _automatically_ by a piece of code that merges the layout and the content, and HTML encodes _every_ single part of the content in the process. The layout is static (or semi-static. At least it does not contain anything that is derived from the user, from databases, files, and so on). I guess you get a lot for free if you use an XML DOM or something. The problem with popular languages such as ASP, PHP and JSP is that they encourage mix of layout and content, thus making it hard to automatically HTML encode the content that gets sent to the browser. It's up to the programmer to HTML encode in the right places. And when something is left to the programmer, we'll have bugs and holes. We need a totally new development platform that makes it impossible to do the typical webappsec mistakes. I'm not sure if it's doable, but I guess it would be possible to avoid all meta-character based exploits, such as Cross-site Scripting, SQL Injection, Shell Command Injection and so on. It's just a matter of encasulating all communication with sub-systems (including the browser) in some reasonable and limited API. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)