[Twisted-Python] Five Crazy Ideas to Start Your Week

Andrew Bennetts andrew-twisted at puzzling.org
Tue Oct 8 17:49:25 MDT 2002 

On Tue, Oct 08, 2002 at 08:08:14PM +0300, Tommi Virtanen wrote:
> On Tue, Oct 08, 2002 at 02:04:24AM -0500, Glyph Lefkowitz wrote:
> 
> > 2. Automatic XSS input scrubbing for Woven
> > ==========================================
[..snip..]
> >     - attributes on other HTML tags, such as onmouseover, that execute js
> >       expressions
> > 
> > Catalogue these and scrub them all off.
> > 
> >     - <img /> or <object /> tags that automatically download other
> >       items, which may be webpages containing javascript.
> > 
> > Again, don't allow these tags.  Or, have the server-side site download the
> > images and verify that they are PNGs (alternately also doing PIL stuff to
> > remove steganographic information, if you're _really_ paranoid).
> 
> 	Your basic problem here is that you are trying to disallow
> 	things you know are not safe. That assumes you are omnipotent.
> 	While not contesting that, I still feel the only sane
> 	architecture is to catalogue known safe things, and only allow
> 	those. Something like a DTD/schema should do the job.

Agreed.  You need a whitelist to do this 100%, not a blacklist.  New
browser versions invent new ways of injecting js into HTML, so a
blacklist can never hope to be complete.  BugTraq has seen this every
time a major new browser version is released.  Also be aware of nasty
tricks like "onmouse&x6f;ver" or however it is you can encode random
ascii (or unicode!) entities -- most browsers will still understand
that.  Your filter needs to as well.

I think there may be a fundamental flaw to filtering this with Woven.
Woven assumes correctly formed XML.  Browsers will still execute js on a
page that is HTML (or even HTML-ish!), even if it isn't XML.  That
already means there's probably tricks that lie outside the set of what
Woven can deal with -- though perhaps Woven can't generate them in the
first place?

If you intend to build XSS protection into Woven, I strongly recommend
you look through BugTraq's archives to get some idea of the wide variety
of techinques that can be involved -- in fact, I think they've started a
seperate mailing list for XSS now.

-Andrew.

More information about the Twisted-Python mailing list