use Perl

• I hate to be pessimistic but ... (Score:1)

  by IlyaM (2933)

  Do I get it right that with AxKit it is impossible to inject new tags into output? If yes, then it makes making XSS holes much harder but not impossible cause XSS it is not just injection of dangerous tags into output. Imagine for example public web service that let's people to exchange URL's (let's call it "Shared bookmarks"). Obvious possible XSS hole is not verifying schema part of submited URL to be clear from dangerous schemas like 'javascript'. I doubt AxKit can automatically protect from this kind of

  --
  

  Ilya Martynov (http://martynov.org/ [martynov.org])
  • Re:I hate to be pessimistic but ... (Score:2)

    by Matts (1087)

    You're absolutely right, and I'm no security expert, so just how much damage can you do with the javascript: scheme? Is it limited to one function call, or can you chain lots of javascript into one method.
    • Re:I hate to be pessimistic but ... (Score:1)

      by IlyaM (2933) <ilya@martynov.org> on 2003.01.25 15:52 (#16382) Homepage Journal

      At least with Mozilla you can chain several function calls. BTW there are other types of XSS attacks which as I understand AxKit cannot protect from. Like arbitrary user input passed into response HTTP headers.

      --
      

      Ilya Martynov (http://martynov.org/ [martynov.org])

      Reply to This

      Parent

      • Re:I hate to be pessimistic but ... (Score:2)

        by Matts (1087)

        arbitrary user input passed into response HTTP headers.
        
        Mind explaining how this works? I still don't know enough about XSS, but it's a technique that has fascinated me ever since I watched Jeffrey Baker demo it at the Open Source Conference 2.5 years ago.
        • Re:I hate to be pessimistic but ... (Score:1)

          by IlyaM (2933)

          Take this perl CGI for example:

          my $cgi = CGI->new;
          # print headers
          print "Content-type: text/html\n";
          print "Set-Cookie: cookie=" . $cgi->param('cookie') . "\n";
          print "\n";
          # print content
          print "<html>.....</html>";

          Attacker can pass as value of "cookie" parameter something like "\n\n<javascript>....</javascript>" so this CGI ends up printing:

          Content-type: text/html
          Set-Cookie: cookie=
          
          <javascript>...</javascript>
          
          <html>.....</html&g t;

          See? Since arbitrar

          --
          

          Ilya Martynov (http://martynov.org/ [martynov.org])
          • Re:I hate to be pessimistic but ... (Score:2)

            by Matts (1087)

            That's not possible with AxKit. You can only add headers with $r->headers_out->add() or the Cookie taglib (which uses headers_out underneath). Creating cookies with the cookie taglib automatically encodes and decodes them.
            • Re:I hate to be pessimistic but ... (Score:2)

              by Matts (1087)

              Ah, wait a minute. $r->headers_out->add() is vulnerable to this problem.
              
              Most interesting.