Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Do I get it right that with AxKit it is impossible to inject new tags into output? If yes, then it makes making XSS holes much harder but not impossible cause XSS it is not just injection of dangerous tags into output. Imagine for example public web service that let's people to exchange URL's (let's call it "Shared bookmarks"). Obvious possible XSS hole is not verifying schema part of submited URL to be clear from dangerous schemas like 'javascript'. I doubt AxKit can automatically protect from this kind of
    --

    Ilya Martynov (http://martynov.org/ [martynov.org])

    • You're absolutely right, and I'm no security expert, so just how much damage can you do with the javascript: scheme? Is it limited to one function call, or can you chain lots of javascript into one method.
      • At least with Mozilla you can chain several function calls. BTW there are other types of XSS attacks which as I understand AxKit cannot protect from. Like arbitrary user input passed into response HTTP headers.
        --

        Ilya Martynov (http://martynov.org/ [martynov.org])

        • arbitrary user input passed into response HTTP headers.

          Mind explaining how this works? I still don't know enough about XSS, but it's a technique that has fascinated me ever since I watched Jeffrey Baker demo it at the Open Source Conference 2.5 years ago.
          • Take this perl CGI for example:

            my $cgi = CGI->new;
            # print headers
            print "Content-type: text/html\n";
            print "Set-Cookie: cookie=" . $cgi->param('cookie') . "\n";
            print "\n";
            # print content
            print "<html>.....</html>";

            Attacker can pass as value of "cookie" parameter something like "\n\n<javascript>....</javascript>" so this CGI ends up printing:

            Content-type: text/html
            Set-Cookie: cookie=

            <javascript>...</javascript>

            <html>.....</html&g t;

            See? Since arbitrar

            --

            Ilya Martynov (http://martynov.org/ [martynov.org])