Reddit Javascript Exploit Spreading Virally

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

Is this good news or bad?

I don't know. Sounds good !!

Re:Is this good news or bad?

[ArsenneLupin]

It's good news.

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

Re:Is this good news or bad?

[pla]

it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

*cough*Slashdot*cough*

Re:Is this good news or bad?

No, it won't. The other 6 million javascript exploits didn't do that. What makes you think this one will?

Re:Is this good news or bad?

[SanityInAnarchy]

Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?

This was not because of Javascript, nor is Javascript going away because of this.

Re:Is this good news or bad?

[SanityInAnarchy]

It seems to work without Javascript, though it's usually faster with the script.

Re:Is this good news or bad?

[corbettw]

Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.

Re:Is this good news or bad?

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

That's what some of us have been saying since Netscape first spawned a pop-up ad, some 15 years ago.

The only response (Netscape 3 vs. Netscape 4, and all versions of IE until IE7.) was to bury the "Disable Javascript" option a little bit deeper into the menus.

It wasn't until PrefBar came out that I got the single-click togglability for Javashit and Flash that I'd wanted for 15 years.

Re:Is this good news or bad?

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off. The solution is for programmers to stop being idiots and write secure code, both in web applications and in the browsers themselves.

Re:Is this good news or bad?

I just want to remind you that the latest frenzy in most of the mainstream browsers is blazing javascript speed, boasting about it and improving it with each release... so this kind of exploits spread even faster.

Re:Is this good news or bad?

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off.

Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.

Re:Is this good news or bad?

As a web developer, I beg to differ. There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present. Let's face it, for every reputable page out there (att.net, youtube.com, etc) there are a hundred others designed by average joe-schmo webprogrammers. And lord only knows if they designed their page securely, and lord only knows if someone has hacked them and injected malicious scripts. I seem to recall hearing a few weeks ago that the majority of malicious scripts were being put into hollywood celebrity gossip sites that people were hitting off their google searches.

For me, the solution is to just whitelist the sites I visit frequently, only allowing scripts/cookies when I know they can be trusted. I'm not saying that you shouldn't design without javascript, but I am saying that you shouldn't assume that everyone visiting your page is going to have it. Besides, how hard is it to write a page that vomits up its contents in a readable form when the javascript doesn't run to position all the css objects? It doesn't have to look pretty, but it should be usable.

Re:Is this good news or bad?

[ultranova]

Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?

There's a huge difference in complexity between image/HTML renderer and Javascript. Image file formats and HTML pages are not Turing complete, while Javascript is. Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be; the whole point of Javascript is to allow arbitrary code execution, so the best you could ever prove is that the code never leaves the confines of the Web browser - but having a script post comments does not require that.

This was not because of Javascript, nor is Javascript going away because of this.

Yes, this was because of Javascript, but no, sadly it won't be going away.

Re:Is this good news or bad?

Yeah, a full post back for every operation a user may need to do is a much better approach.

Re:Is this good news or bad?

[aardvarkjoe]

The solution is for programmers to stop being idiots

Any proposal that relies on any group of people to not be idiots is doomed to failure.

Re:Is this good news or bad?

[Nicolay77]

It has Pavlov-reinforced me the idea that Opera is safer than other browsers.

Re:Is this good news or bad?

[slack_justyb]

The solution is for programmers to stop being idiots and write secure code

Yeah because that mantra has really caught on, especially with Microsoft employees.

Face it, programs are written by people, people are made to f*** up on epic scale, therefore, you need to be ready to handle epic f*** ups or just not play ball. Granted you don't get the same dynamic experience but that's the trade off. I'm sure the guy your quoting understands that.

Re:Is this good news or bad?

[ultranova]

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page.

So by advising people to disable Javascript, I'm doing my part for killing off "Web Applications" and getting us back to good old Web Pages. Excellent.

Seriously, why would I want "dynamic content" when all that really means is a thousand pauses as more data is fetched? Give me static pages whenever possible. Better yet, give me a single large static page rather than a dozen small pages, so I don't have to wait while the next page is being loaded and rendered.

The solution is for programmers to stop being idiots and write secure code, both in web applications and in the browsers themselves.

The solution is to understand that most web sites are not applications, from the users point of view, and stop stuffing them full of scripts that do nothing but slow things down.

Re:Is this good news or bad?

[schon]

it's usually faster with the script.

Hi there - you must have just popped in from some alternate universe... did Michael Jackson die there too? Was he black?

In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable. I've tried it from both my home and work desktops (quad-core, 4 and 8GB of RAM respectively), and from my Netbook (EeePC 901). It's *always* slower with javascript enabled.

Re:Is this good news or bad?

[not+already+in+use]

It's 2009. We should be able to use the internet the way it is intended, with javascript. Javascript isn't the problem, poor programming on reddit's behalf is the problem.

Re:Is this good news or bad?

[Idiomatick]

This isn't a lesson about javascript. It is a lesson we should have learned from Bobby Tables a long time ago. This shouldn't have been possible regardless of javascript.

For those not in the know: http://xkcd.com/327/

Re:Is this good news or bad?

[avatar_charlie]

That'll be the day. You could kiss gmail and all the photo-upload sites goodbye immediately, as well as a TON of other sites....and as noted below, this site as well.

This issue serves to raise some legitimate concerns, but it should not be used to further an ideological "anything other than HTML/CSS is bad" mentality. And with all the interests arrayed against such a mentality, it wouldn't happen in any case.

The average user isn't going to associate the words "javascript exploit" with "Oh, I need to change settings in my browser". Even the user base of reddit, tech oriented as it is, isn't going to change basic settings and habits to avoid such a problem. Instead, Reddit will patch its hole, and everyone will get on with their day.

Case in point, I'm simply going to avoid Reddit for the rest of the day. Simple problem, simpler cure....

Re:Is this good news or bad?

[lysergic.acid]

What exactly does being Turing complete have to do with it? If a scripting language weren't turing complete, but had direct read/write access to your file system, would it be any safer than JS?

The problem with Reddit isn't JavaScript but rather their markdown implementation. And the security threat here isn't to the user whose system is running the JS, but instead to the Reddit site. If you're using an up-to-date & secure browser, there's typically minimal risk to enabling JavaScript. That JavaScript can sometimes be used to do mischievous things is a reason why site owners should not recklessly allow JavaScript to be posted by untrusted users—just as you wouldn't want to allow unfiltered HTML code to be posted by untrusted users.

If someone posts a link on a Slashdot, and that link eventually gets Slashdotted, then does that mean hyperlinks are inherently unsafe and need to be disabled, or just that some common sense precautions need to be taken when using them?

Re:Is this good news or bad?

[k8to]

Hooray for ultranova.

There's a few rare cases where I actually want a web application. Most of the web applications I view as totally useless or inferior to native applications.

Most web pages aren't even bad web applications, they're just WEB PAGES. Don't require javascript to do amazingly trivial things like.. load the content.

Re:Is this good news or bad?

[mcgrew]

<script id="before-content" type="text/javascript">
var pageload = {
        pagemark: '521513116996487867',
        before_content: (new Date).getTime()
};
function pageload_done( $, console, maybe ){
        pageload.after_readycode = (new Date).getTime();
        pageload.content_ready_time = pageload.content_ready - pageload.before_content;
        pageload.script_ready_time = pageload.after_readycode - pageload.content_ready;
        pageload.ready_time = pageload.after_readycode - pageload.before_content; // Only report 1% of cases.
        maybe || (Math.random()>0.01) || $.ajax({ data: {
                op: 'page_profile',
                pagemark: pageload.pagemark,
                dom: pageload.content_ready_time,
                js: pageload.script_ready_time
        } });
}
</script>

Well, that looks like useful javascript to me.

<link rel="stylesheet" rev="stylesheet" href="//c.fsdn.com/sd/idlecore-tidied.css?T_2_5_0_272c" media="screen">

But it looks like that stylesheet is overridden by this:

<!--[if IE 7]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie7-idle.css?T_2_5_0_272c" /><![endif]-->
<!--[if lt IE 7]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie6-idle.css?T_2_5_0_272c" /><![endif]-->
<!--[if gte IE 8]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie8-idle.css?T_2_5_0_272c" /><![endif]-->

I'm glad I looked at the source -- it seems I might be aboe to disable idle code by disabling javascript. I'll have to give it a try.

But to the /. coders' credit, they don't do any stupid crap like having javascript links when a simple <a href="http://www.somerandomwebpage.url">Some random web page</a> would do.

Re:Is this good news or bad?

Then perhaps you'd like to head down to your local library, you might find books a bit more appealing than computers...

Re:Is this good news or bad?

[Lord+Bitman]

Okay, you go design a standard which can achieve "basic functionality" without javascript, and then we'll talk.
Oh right, that standard was "HTML Frames", and those were near-universally despised.

Re:Is this good news or bad?

Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.

You've never actually been paid to create a web page, have you? (at least, not in the last five years)

Re:Is this good news or bad?

It is a lesson we should have learned from Bobby Tables a long time ago.

Yes, damnit. And there's more types of injection out there than just JS or SQL!

This subject resurfaces again and again on Slashdot and every time there's blame flying all over the place. It's very simple: escape the JavaScript! If you do it in a centralized manner for ALL the data you pass into HTML then you don't have to worry about isolated incidents.

Re:Is this good news or bad?

[SanityInAnarchy]

the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be

You don't think it's possible to formally prove a sandbox? Or you only think it's possible to formally prove a sandbox that's not Turing-complete?

Re:Is this good news or bad?

[SanityInAnarchy]

Hi there - you must have just popped in from some alternate universe

Yep. It's called Google Chrome -- or, more accurately, the Chromium nightly. Javascript executes quickly, and I don't have to wait for an entire separate page to load. Additionally, if I have to wait, the "submit" button has a countdown timer.

And regardless of speed, it is convenient to have that much more context on the page. For example, right now, I can see your post and mine, and I can expand the parents if I need to. If I was replying from the main discussion, I could scroll up to see the whole discussion. Yes, I know about tabs, but even switching with keyboard shortcuts isn't as nice as being able to actually see a few posts of context as I type.

In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable.

Which browser?

Re:Is this good news or bad?

[lwsimon]

Amen. I've gotten into the habit of structuring the document, outputting the data into readable form, then using CSS and JS to make it look and behave how I want it to.

There are some pages where "no access without javascript" is acceptable - but they are few and far between. For the most part, you should be able to use Lynx and view the content.

Re:Is this good news or bad?

[insertwackynamehere]

hey 2001 called they want their rhetoric back

Re:Is this good news or bad?

[sexconker]

In theory you can prove a sandbox is secure.
The actual code for its implementation? Nope.

Also, I've never seen a sandbox without sand all around outside of it. It's a terrible name, though apt, as there are indeed exploits for sandboxes, and as they become more popular, more exploits will follow.

The sand must flow, or some such.

Re:Is this good news or bad?

[jbezorg]

Yes, this was because of Javascript, but no, sadly it won't be going away.

So, all bots that crawl forums to spam them are Javascript? Honestly, if Javascript could do this, I wonder what a more complex bot could have done. Are we all going to lament about the programming language that some forum bot was written in? C? Python?

"Yes, this was because of C, but no, sadly it won't be going away."

Can't see why people get such a hardon bashing Javascript. "Because it's not a real programming language!"? I guess it's the same mentality that leads people to bash PHP, Perl, Ruby, ASP, etc. etc.

I look at it this way. Javascript is a tool and bad programming is bad programming and sadly, bad programming won't be going away.

Re:Is this good news or bad?

[0123456]

We should be able to use the internet the way it is intended, with javascript.

Wow, I never realised that the Internet was designed as a platform for running Javascript. You learn something new every day here on Slashdot.

Re:Is this good news or bad?

I've never used Javascript for slashdot
It's always worked out fine for me

Re:Is this good news or bad?

[naasking]

Well, neither cookies nor JavaScript are strictly necessary. REST demonstrates that URLs suffice. JavaScript certainly makes it more pleasant, and cookies can be used to address some usability problems (though they are currently abused).

Re:Is this good news or bad?

[FingerSoup]

Apparently people think that their computers' processing power is too valuable for Javascript.... I'M NOT LETTING THAT RUN! NOT ON MY COMPUTER!!!!!

Of course, security should not be left in client-side only, but for trivial tasks such as AJAX or other dynamic rendering schemes, there's no reason to stop using it.

Re:Is this good news or bad?

[Just+Some+Guy]

Image file formats and HTML pages are not Turing complete

Hey, ultranova! I'd like you to meet my friend, PostScript.

Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code,

Mr. Hofstadter has the most interesting record player...

I know what you mean on a non-literal level, but you have some interesting definitions of "safe" and "prove" that don't match well with computer science.

Re:Is this good news or bad?

[spike2131]

There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present.

Yes there is. Making your page fail gracefully takes extra time and resources, which could be put to better use than supporting the 1% of users who choose to handicap their browsers by turning off javascript.

Failing gracefully is an important concern, but its not the only concern, and should be balanced against other priorities.

Re:Is this good news or bad?

What about "failing gracefully because if your customer is big and important enough, it means enough people will care and it can lead to class action suits for violating section 501 in the US if it's too disgraceful for a screen reader to work"

Re:Is this good news or bad?

[RAMMS+EIN]

``There's a huge difference in complexity between image/HTML renderer and Javascript. Image file formats and HTML pages are not Turing complete, while Javascript is. Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be; the whole point of Javascript is to allow arbitrary code execution''

Err, no. There is a huge difference between being Turing complete, unsafe, and allowing arbitrary code execution. In particular, being Turing complete does not imply being unsafe. Sure, you may be able to compute any function ... but without primitives in your language that affect the outside world, your language will not be unsafe.

Also, a good Javascript engine will not allow the execution of arbitrary code, but only of code that is actually in the program being run. What you probably meant to say is not "arbitrary code execution", but "cross-site scripting": the fact that Eve can post code on Alice's website that causes Bob's computer to do naughty things.

Re:Is this good news or bad?

Pfft. I already knew that Slashdot was infested with idiots.

Re:Is this good news or bad?

Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.

Mr Stallman, is that you?

Re:Is this good news or bad?

[blowdart]

No it's not. The Reddit hack was a Cross Site Scripting attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.

Re:Is this good news or bad?

Yay for letting handicapped and blind people bring progress in IT to a screeching halt circa 1997.

Re:Is this good news or bad?

[inKel]

I think you are quite right, the problem is not JavaScript, but poor programming.

Re:Is this good news or bad?

[psydeshow]

The idea is to build the page in fail-state first, and then use JavaScript to enhance it. Or in other words, build your DOM and then restyle, add event listeners, etc.

It doesn't take extra time, and it's a great technique for future-proofing your pages. It also makes them accessible to people who, for whatever reason, can't take advantage of teh javascript. If your website is in the US, and is big enough for anyone to care, ADA compliance pretty much requires it.

Re:Is this good news or bad?

[Hatta]

Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx?

How many exploits in image processing components of web browsers have there been? I count 4 for raster images. (of course that article is a few years old, have there been any recently?) If there were as many holes in JPG rendering libraries as there have been in javascript, then yes disabling images would be an entirely reasonable solution.

Re:Is this good news or bad?

[gstep]

The web without javascript. That would be awesome...or not! Say goodbye to every single interactive application on the web and enjoy it like it was back in 1994.

Re:Is this good news or bad?

[SanityInAnarchy]

The actual code for its implementation? Nope.

Then what makes the code for implementing a Turing-complete sandbox inherently less secure than the code for a less-than-Turing-complete sandbox?

And what does any of this have to do with the exploit TFA mentions? It wasn't about Javascript escaping the client-side sandbox, nor is there any particular reason for users to enable noscript. It was entirely Reddit's fault.

Re:Is this good news or bad?

[Neil+Hodges]

Well, without JavaScript we could use full-page Java applets to do things Whether or not that's any good remains to be seen.

A better idea would be to replace JavaScript with a virtual machine that plays nice with HTML and can allow a compiler to target it without much work.

Re:Is this good news or bad?

[horza]

Absolutely right for your personal homepage. A professional web designer would not be able to get away with this. This kind of laziness translations directly into additional support costs for the client. And each time Microsoft recommends turning off Javascript due to a 0-day exploit you are cutting off more than 1%.

I can't think of any cases where it is ok to not fail gracefully. I hope you are not talking about just using client side validation, one of the most used cases for Javascript but where you must always fail over to doing server side also. Can you give an example?

Phillip.

Re:Is this good news or bad?

[prockcore]

Says the guy posting on slashdot. Your comment is dynamic content, numbnuts.

Re:Is this good news or bad?

[sexconker]

The fact that the implementation involves everything running on that turing-complete machine.

I don't give a shit what it has to do with TFA, it has to do with your dumb comment above ("You don't think it's possible to formally prove a sandbox?").

Re:Is this good news or bad?

Javashit isn't the way the internet was intended.

Re:Is this good news or bad?

[prockcore]

Section 501 only applies to government websites, and really, it should apply to crappy screen readers that can't handle javascript.

Re:Is this good news or bad?

[Jah-Wren+Ryel]

Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.

There are other parts to slashdot. Last time I tried to change my preferences it was completely unnavigable without javascript and just barely functional, but still a major PITA to use, with javascript. That experience was what prompted me to change my sig.

Re:Is this good news or bad?

[ElKry]

Sand wants to be free?

Re:Is this good news or bad?

[Jah-Wren+Ryel]

The problem with Reddit isn't JavaScript but rather their markdown implementation. And the security threat here isn't to the user whose system is running the JS, but instead to the Reddit site.

Yes that's what makes this case special. Most javascript security problems are externalities to the websites that over-use javascript - they don't normally suffer the consequences of enabling javascript in the browser - the users do. This time the website is paying the price for their poor decisions. Finally the gander is getting goosed.

If you're using an up-to-date & secure browser, there's typically minimal risk to enabling JavaScript. That JavaScript can sometimes be used to do mischievous things...

No. Javascript vulnerabilities come in two flavors - exploited bugs and deliberate abuses. All of the web-tracking systems enhance their tracking of people via javascript, simply blocking cookies from 3rd party sites hasn't been sufficient to protect users from such deliberate abuses for many years now. Then there are the increasingly more common zero-day exploits that are installed via other vulnerabilities in a web-server that no amount of "regular updates" will protect users from.

There is a reason NoScript is the #2 most popular firefox plugin with over 54 million downloads - that reason is because javascript is a huge vulnerability, people know it and are trying to do something about it.

Re:Is this good news or bad?

[Sancho]

If you don't use flat view, or if you like to have subjects collapsed, it's much faster to use the (sluggish) Javascript view than to constantly reload the page with a different comment open.

Re:Is this good news or bad?

[not+already+in+use]

Typical snarky slashdot response. Did you catch the part where I said it's 2009? The web now is not the web as originally designed. Maybe you're still living in the animated gif world, but everyone else is living in a world where browsers are JIT compiling javascript and websites are no longer just websites but actual applications.

Re:Is this good news or bad?

[0123456]

You've never actually been paid to create a web page, have you? (at least, not in the last five years)

Indeed: just think of all the JS programmers who'd be out of work if the average static web page didn't pull in 500k of JS in order to display 4k of text.

Re:Is this good news or bad?

[hesaigo999ca]

well....actually yes, any website that allows to post html script, which in itself can use links to hyper text to download malware is dangerous and should not be allowed...its all about content filtering before you get it up. If you want an example, I have one here

Re:Is this good news or bad?

[Serious+Callers+Only]

Filtering user input properly would have stopped this though. It is not an attack which relies on a flaw specific to javascript - the flaw is a very general one - using untrusted user input without aggressive filtering.

Re:Is this good news or bad?

[Ironica]

Face it, programs are written by people, people are made to f*** up on epic scale, therefore, you need to be ready to handle epic f*** ups or just not play ball. Granted you don't get the same dynamic experience but that's the trade off. I'm sure the guy your quoting understands that.

The above post is SFW.

Re:Is this good news or bad?

[blowdart]

True, but SQL Injection is a specific attack exploiting how an application talks to the database. This was not SQL injection.

Re:Is this good news or bad?

Wait, wait. If this is dynamic, how did I load it in my browser that has JS turned off?

I'm so confused!

Re:Is this good news or bad?

[defireman]

Be careful of what you wish for...

Not having dynamic content both increase web page load times (as every action will now require a post-back) as well as bandwidth costs (more stuff now have to come from to the server to your page).

Slashdot alone will fall on it knees if dynamic content is not allowed.

Re:Is this good news or bad?

[quanticle]

But the lesson is the same. Filter your user input. If necessary, remove all tags, and only allow plain text.

Re:Is this good news or bad?

[HeronBlademaster]

Seriously, why would I want "dynamic content" when all that really means is a thousand pauses as more data is fetched? Give me static pages whenever possible.

Well I can think of an example you might accept.

Imagine I'm selecting a username while registering a forum account. Rather than fill out the entire form, submit it, and wait for the entire page to load again only to find that the username has been selected, wouldn't it be nice if it would check that while I fill in other parts of the form?

See, that way, you actually spend less time waiting, since you were doing something useful while the Javascript did a round-trip to the server to make sure the username you selected is available.

All I'm saying is that using Javascript to dynamically alter the web page does not automatically mean you're adding in a thousand extra pauses before the web page is usable.

Re:Is this good news or bad?

The real exploit were in the Markdown parser.

This exploit only used the jQuery library to make the code shorter. This could have been done even without an 'AJAXified' comment system.

Re:Is this good news or bad?

Section 508.

Re:Is this good news or bad?

[spike2131]

I would never use just client side validation, but thats for security reasons, not just because I want to be nice to folks who won't use javascript.

I was thinking more along the lines of population of page content using AJAX calls. Yes, you could design an entire parallel system of non-javascript content delivery, but doing so encumbers your product with additional support overhead and development time.

If your customer feels that failing gracefully is a worthwhile investment of time and money, great, but that should be their decision. And its a decision that should be made for pragmatic reasons, not simply because it's grandfathered in as a best practice from years ago.

Re:Is this good news or bad?

Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code

How many image rendering engines are there on your system that have been proven free of exploits. Is it none ?

"proven free of exploits" is the kind of claim that is so unlikely, if I were to ever see it in connection with a bit of software, I would automatically assume it was a lie.

Re:Is this good news or bad?

[FatMacDaddy]

I think you're talking about Section 508 of the American with Disabilities Act. And yes, it can apply to more than US Government web sites. Target found that out the hard way after refusing to provide alt tags and other accessible changes to their web site. After getting slammed with a $6 million judgement, no one else is bothering to refute what has become established case law.

I might also add that Section 508 covers much more than screen readers and javascript.

Re:Is this good news or bad?

Failing gracefully tends to make pages work better for normal users, too. Ex. the old use of Java applets / Flash for navigation buttons on websites where an image + CSS would have worked. It makes the page unusable in lynx and makes users of other browsers unable to open links in new windows or new tabs.

Re:Is this good news or bad?

[SanityInAnarchy]

If there were as many holes in JPG rendering libraries as there have been in javascript,

Except this isn't a vulnerability in Javascript, it's a vulnerability in a Javascript application.

then yes disabling images would be an entirely reasonable solution.

Do you really think so?

Because I think the reasonable solution is to fix the libraries.

And I count more than 4 -- there was an exploit involving an image that was actually a Java class file, being executed as a Java program with full local access, as one example.

Re:Is this good news or bad?

[SanityInAnarchy]

The fact that the implementation involves everything running on that turing-complete machine.

To the extent that the implementation of a non-Turing-complete machine involves everything "running" on it as well. There have been vulnerabilities in HTML itself, among other things.

And, for that matter...

has to do with your dumb comment above ("You don't think it's possible to formally prove a sandbox?").

You haven't shown me that it's not possible to formally prove the code that implements a sandbox.

Re:Is this good news or bad?

[TheLink]

> Filtering user input properly would have stopped this though

Yeah but I think a lot of people underestimate the difficulty of "properly".

Even when it comes to simple stuff like escaping angled brackets:

http://cansecwest.com/csw09/csw09-weber.pdf
http://www.securityfocus.com/archive/1/437948/30/0/threaded

More here:
http://nedbatchelder.com/blog/200704/xss_with_utf7.html
http://www.securityfocus.com/bid/31183/discuss
http://ha.ckers.org/blog/20060817/variable-width-encoding/

Worse if you need to allow _some_ fancy stuff but not all.

To use a car analogy, browsers nowadays are like cars with 1000+ gas pedals, many placed in strange and unexpected places. But not a single brake pedal.

To stop, you must ensure that NONE of the 1000+ gas pedals are pressed.

If a hacker rides past and manages to press one of those pedals, you crash and burn.

I've been proposing a brake pedal for browsers for years: http://slashdot.org/comments.pl?sid=1384497&cid=29565569

I really don't care what it ends up looking like as long as it works and is easy to use.

What if one day your filters disagree with some of your users browsers in their parsing? All the different browsers and filters might be correct according to different interpretations of the standard(s) - just some ambiguity makes them all right and yet some different.

With my proposal as long as they interpret the brake pedal correctly, they could still be safe (there's no 100%, but hey at least things will be safer).

Re:Is this good news or bad?

it's usually faster with the script.

Hi there - you must have just popped in from some alternate universe... did Michael Jackson die there too? Was he black?

Well, he started out black.
Then he slowly faded to white.
Now he's slowly getting darker again.

Re:Is this good news or bad?

[sexconker]

Yes I have.

As that code must be turing complete for it to be of any use.

Re:Is this good news or bad?

[An+Onerous+Coward]

Making the proposer a... what was the word again?

I propose that people stop proposing ideas that rely on groups of people to stop being idiots.

Re:Is this good news or bad?

[SanityInAnarchy]

So your assertion is that it's not possible to formally prove anything that's Turing-complete?

I'll admit I'm in over my head here, but a quick assumption goes as follows:

I define a Turing-complete, sandboxed language as a set of instructions that can do the following:

• Allocate some new storage for itself
• Perform some mathematical computation, referring to storage previously allocated
• Store arbitrary values (the results of said calculation) in that storage
• Call pre-defined routines provided by the sandbox (the DOM, for example)

It seems like it'd be trivial to prove the first three. The fourth, even if unprovable, is also not impossible. Practical examples are any service with a public API. The simple example would be instructions like "display a string" -- to attack that either involves a DoS (trivial for a sandbox to deal with), or a bug in the string handling (Bobby Tables, as trivial to avoid as it is to exploit).

Regardless, the public API need not be even close to Turing-complete -- so your objection is to the possibility of a sandboxed language, with no public API, which cannot be compromised.

Do I have it right so far?

Re:Is this good news or bad?

[orngjce223]

Counterexample.

I pull up Slashdot with no Javascript and get a nice comment list. It works, and that's all there is to it.

I pull up Slashdot with Javascript enabled and sit there and wait for the browser to grind code for five seconds (bringing everything else on my computer, including Folding@Home, to a stall), just for a stupid little box that floats along the left side of the page like a stray dog that's decided to follow you around for some reason and has a bunch of sliders that are supposed to show and hide content but don't work at all.

I'll take the no-JS version of the page, thanks.

And don't even get me started about the Preferences...

Re:Is this good news or bad?

[HeronBlademaster]

I'm not saying it can't be done wrong, I'm just saying that it can be useful when done right.

In other words, "it can be done wrong" is a stupid reason to ban JS entirely. Banning JS entirely would only be a valid recourse if "it can't be done right" were a true statement, but obviously that's not a true statement, so we're back to what I was saying before: Javascript, when used properly, can increase the usability of websites without introducing excessive delays, and in some cases can reduce potential delays.

I'll agree with you about one thing though - Slashdot certainly isn't a shining example of good Javascript usage. (I also don't understand why it takes a good twenty seconds for the post preview to show up...)

Re:Is this good news or bad?

[BZ]

> Image file formats and HTML pages are not Turing complete, while Javascript is

Depends on how you define "image file" (is PostScript allowed?) and "HTML page" (is client-side XSLT allowed?).

Re:Is this good news or bad?

[gmhowell]

The sand must flow, or some such.

You're thinking spice, but, whatever.

Re:Is this good news or bad?

[jsebrech]

Did you submit your idea to the html5 mailing list? It's a good idea. At the very least this should be debated within the scope of html5.

Re:Is this good news or bad?

[TheLink]

An AC pointed out that some people are working on "brakes" now: https://wiki.mozilla.org/Security/CSP

It's substantially different from my idea - a lot more sophisticated. But yeah maybe we'll eventually get brakes.

FWIW, I submitted my suggestions to the www-html mailing list and mozilla about 7 years ago. One or two list readers said they wanted something like that, but the rest said stuff like "No you should use libraries".

The myspace and google worms had their merry way... So I resubmitted it again.

Re:Is this good news or bad?

[RichiH]

That's nice. Really it is. But other people have different priorities. And _every_ site should/must be usable without Javascript/flash/what have you (unless it's a Javascript/flash/what have you tech demo).

Why?

Some people just prefer it that way, like me.
Others need this, like people who have to use screen readers, etc.

Re:Is this good news or bad?

Who told you that the internet was "intended" to be used with/through/supported by javascript ?

If a scripting language for toying with the DOM had actually been given some thorough thought, rather than being put together slap-dash like it was ( and you know it was )
this sort of crap wouldn't exist. And don't say if someone had built in smart pointers into C++ in the first place you wouldn't have memory leaks, it's been 13 years since js 1.0, and
it's still the same pile of steaming goo at the end of the day.

Sure bad programming habits will lead to crying ( waaaaah! ), but only with js can you completely and utterly HOSE things from the OUTSIDE. It's specifically because of things like Ajax that poor web architectures, and implementations promulgate.

Re:Is this good news or bad?

[SanityInAnarchy]

And _every_ site should/must be usable without Javascript/flash/what have you

You forgot: where it makes any sense at all to do so. Show me how YouTube could be usable without Javascript or Flash.

Slashdot is usable without Javascript, it's just much more so with Javascript.

Others need this, like people who have to use screen readers, etc.

I believe Flash does support that now, but really, this is better done with semantic HTML -- Javascript still makes sense.

Re:Is this good news or bad?

[Dreadneck]

Any proposal that relies on any group of people to not be idiots is doomed to failure.

So much for Congress.

Re:Is this good news or bad?

[RichiH]

> You forgot: where it makes any sense at all to do so. Show me how YouTube could be usable without Javascript or Flash.

I know what you mean and point taken, but Flash is a workaround, not a solution in youtube's case.

Re:Is this good news or bad?

[SanityInAnarchy]

So the solution is, what, <video>? Still requires Javascript to add some features that, if not strictly needed, definitely improve YouTube.

One example: It's possible to link to a specific moment (by timecode) in a YouTube video.

Another example: Aside from subtitles, it's possible for the author to add annotations to a video. This can range from correcting a typo without re-encoding, to adding contextual links to the middle of a video, to correcting one's self without re-encoding and re-shooting the video.

I don't think either of these would be possible without either Javascript, Flash, or some plugin designed specifically for YouTube. I know which I'd prefer.

The fact that you can comment on a video while it's playing (without navigating to another page) is just icing on the cake.

Moral of the story: Just because a technology can be abused is not a reason to avoid the technology, especially because all technology can be abused.

Re:Is this good news or bad?

[RichiH]

> Still requires Javascript to add some features that, if not strictly needed, definitely improve YouTube.

Exactly my point. Enhancing functionality with JS is fine, but it _must not_ be required for a site to work at all. As I said in my first comment, there are exceptions, but they are very few.

Re:Is this good news or bad?

[RichiH]

PS: I would _love_ to have a youtube version which just presents a preview pic which is linked to a URL to the flv in question so I would not have to copy and paste the youtube URL into my own custom script that uses mplayer to play the video outside of the browser window.

Re:Is this good news or bad?

[jimktrains]

REST also doesn't allow sessions. The only way to do auth in rest is via HTTP, and that's shittily implemented in browsers (ugly, no way to log out, no way to log in from any page). Cookies are fine. I like sessions, for the most part JS shouldn't be needed, however.

Re:Is this good news or bad?

[naasking]

REST also doesn't allow sessions.

Myth. Just place your unguessable token in the URL instead of in a cookie.

Re:Is this good news or bad?

[sexconker]

You're right.
The first three can be proven relatively easily.

The fourth is the issue.
It doesn't matter if the API is public or not.
It doesn't matter if you have a damned API.

If running an sand-box environment to contain another turing-complete machine, then the physical machine must be turing complete.

All that matters is whether or not that code can withstand all possible series of inputs.

Good luck formally proving that.

Re:Is this good news or bad?

[SanityInAnarchy]

it _must not_ be required for a site to work at all.

Which I still strongly disagree with. It again comes down to whether it makes sense or not.

For example: Slashdot absolutely should work without Javascript. All it does is link to other pages and provide a discussion board.

On the other hand...

there are exceptions, but they are very few.

Few, perhaps, but not hard to think of, and I expect to see more in time.

For example, Gmail should work without Javascript, though if I was writing an email client, that wouldn't be a priority for me.

But Gtalk? Google Docs? Sorry, no.

Google Wave is useless without Javascript, yet does provide a very real possibility for replacing... lots of things. Email, IM, document collaboration...

There's also the interesting possibility of combining things like CouchDB with a pure Javascript frontend (plus some static HTML), thus removing the need for any server-side application other than the database itself.

Then there are browser-based games -- arguably, Javascript is a much better vector for these than Flash.

I could go on...

Now, thinking back to YouTube, if I were to publish something on YouTube, I don't think I'd much like the thought of someone watching the raw video, without any of my annotations.

Re:Is this good news or bad?

[SanityInAnarchy]

I would _love_ to have a youtube version which just presents a preview pic which is linked to a URL to the flv in question

You do realize that most of YouTube is available in mp4 now, right? I'd actually hate one that only linked to an flv.

I would not have to copy and paste the youtube URL into my own custom script that uses mplayer to play the video outside of the browser window.

Sounds like a job for Javascript.

Specifically, GreaseMonkey. People already generate download links with that, and it wouldn't be terribly difficult to replace the player itself with a download link. The difficult part would be finding an appropriate image.

Or better yet, if it's a format your browser supports, wrap it in a video tag. Then you get right-click and save as.

But you still miss the annotations, if they exist.

Re:Is this good news or bad?

[SanityInAnarchy]

It doesn't matter if the API is public or not.

True. But the existence of public APIs proves that a secure API can be implemented.

It doesn't matter if you have a damned API.

In the case of a sandbox, it does, because if you don't provide an API, it's absolutely secure. Absolutely useless, too, but absolutely secure.

All that matters is whether or not that code can withstand all possible series of inputs.

Except that if this was a problem, it would be a problem for the first three.

Again, I'm over my head mathematically (and I hope to rectify that, at some point), but this seems stupidly obvious logically.

Re:Is this good news or bad?

[sexconker]

You can prove any of the first three sandbox functions just fine. But you can't prove them on the operating system side.

If your sandbox is a regular old sandbox that just walls up some memory, then the proof of the sandbox boils down to proving all the sandbox code, which won't be turing complete, and then proving all the OS code, which is turing complete.

If your sandbox implementation is more in the line of a vm type setup, you'll have to deal with your hypervisor, etc., which will be turing complete.

The bottom line is that the implementation as a whole is what matters. You can define a wall and it may be impenetrable, but the ground itself may be easy to burrow through.

There is no point in proving a sandbox to be "secure" while ignoring the same issues where the sandbox is implemented.

The poster waaaaaaaaaaay up said:
"Image file formats and HTML pages are not Turing complete, while Javascript is. Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be; the whole point of Javascript is to allow arbitrary code execution, so the best you could ever prove is that the code never leaves the confines of the Web browser - but having a script post comments does not require that."

You can prove code will never leave your sandbox due to a fault of the sand box but the implementation of the sandbox is turing complete. You can't prove the entire thing won't come tumbling down.

Thus, you can never prove it is safe to run arbitrary, turing-complete code on a turing complete machine, regardless of whatever sandboxing you use.

Re:Is this good news or bad?

[SanityInAnarchy]

the proof of the sandbox boils down to proving all the sandbox code, which won't be turing complete,

Ok, good to know this is possible.

and then proving all the OS code

Technically, yes. But then, it's also technically possible to have a provably-correct OS, I think.

Practically, all you need to prove are the parts that directly interact with the sandbox. Again, technically, it's possible that there's some code in my video driver that will, using its ring 0 access, read the sandbox code, and do so in an insecure way. But how likely is that?

So, basically, you'd need to prove the scheduler, the allocator (and memory protection), and whatever interfaces you expose to the sandbox -- for instance, if the sandbox'd Javascript has a "stdout" object with a "write" method, you have to prove operations on Unix file descriptors are safe, and whatever the output goes to is safe.

The more precise you want to get, the more code is involved. But eventually, you end up with something like, "Well, I can't prove there's no vulnerabilities in write(2), therefore, a sandboxed program could theoretically exploit such a vulnerability." And that borders on insanity, since it'd have to be something at once profoundly stupid (it's not that hard to safely get a sequence of bytes to the stream, or somewhere on disk) and incredibly unlikely, as these interfaces have been in use (and theoretically exploitable through many other vectors) for decades.

I don't see why any of these attacks are more feasible against a turing-complete sandbox than anything which allows arbitrary data to be loaded into RAM, including HTML and CSS. If you're seriously going to pretend there's a vulnerability in write(2), fine, but that seems as likely as a vulnerability in a socket read, which would affect every Unix-based http server...

It seems far, far more likely to me that once you formally prove the sandbox and the APIs it directly exposes, you're safe -- and, conversely, that if you're not safe, the problem is either in the Turing-machine implementation itself, or in one of the APIs.

Re:Is this good news or bad?

[RichiH]

> You do realize that most of YouTube is available in mp4 now, right? I'd actually hate one that only linked to an flv.

I am happy with whatever works. As I view about 0-2 videos on youtube per month, I don't really care about specifics.

> But you still miss the annotations, if they exist.

If by annotations you mean those text overlays in which people either try to make you buy stuff/click links or simply show how retarded they are: sign me up! ;)

Re:Is this good news or bad?

[SanityInAnarchy]

If by annotations you mean those text overlays in which people either try to make you buy stuff

Honestly, I've never seen an annotation that does so.

click links

That's a useful feature. If someone's making a video that actually relates to something online, it's nice if they can link to their source.

And I specifically mentioned other things these are useful for. I'm not talking theoretically -- I have actually seen this done.

simply show how retarded they are

If they were going to do that, the original video will do that as well.

First few seconds of this video is, I think, a fair request. It also doesn't hide any of the original content, and fades before the actual video appears.

Or, here, around 1:33, is an example of correcting a video which has already been published -- much more convenient for him than, again, re-shooting and re-encoding the whole thing.

Of course, if a particular set of annotations is annoying, it's trivial to disable them -- a click and a half. But to have them on is an option that you don't have without the Flash, or at least the Javascript, and that second video is an example of one where, if I'd only had the raw video, I'd have been hitting his comments section hard.

Yes, you could encode them as subtitle tracks -- but then you couldn't have clickable links.

Re:Is this good news or bad?

[Serious+Callers+Only]

To stop, you must ensure that NONE of the 1000+ gas pedals are pressed. If a hacker rides past and manages to press one of those pedals, you crash and burn.

To stop it, you whitelist, don't blacklist (which is what you're describing with the 1000 gas pedals analogy) when filtering user data.

Then you only allow a certain set of very limited tags, attributes and attribute values, and definitely nothing including scripting. Encoding is definitely a problem even with that approach though - personally I wouldn't let anything url encoded through (like attributes) as it's the main source of vulnerabilities.

I've been proposing a brake pedal for browsers for years: http://slashdot.org/comments.pl?sid=1384497&cid=29565569

I agree this is a great idea, please keep pushing it. It has become more relevant recently I think, so it is perhaps an idea whose time has come. In lieu of having it in a browser, adding as standard more aggressive filtering to javascript frameworks would help reduce a lot of this stuff.

Re:Is this good news or bad?

[badkarmadayaccount]

Dynamic text overlay ought to be trivial with so Javascript, leaving Flash in the cold.

Re:Is this good news or bad?

[SanityInAnarchy]

Indeed, but you can't reliably mix the two, if you're going to support older browsers and older versions of Flash.

But yes, if they were going to go straight HTML5+Javascript, they could easily show text (and images) on top of the video.

Re:Is this good news or bad?

[badkarmadayaccount]

Which is pretty much every geek's dream.
RE:Sig
Dude, are you gonna move, or is that sig there to show geek pride? BTW, what's it like having 100 Mbps? Is it comparable to most user connections, or are the rest of us missing out?

Re:Is this good news or bad?

[SanityInAnarchy]

They might be working on it -- see youtube.com/html5. However, html5 lacks some basic stuff, like a way to go fullscreen, so it may be awhile yet.

Actually, I should just change my sig. I was gonna move if I could find a job -- instead, I went back to school. And, this ISP doesn't seem to be enforcing the cap, at least on me, so I don't care.

Re:Is this good news or bad?

[SanityInAnarchy]

And to reply to "what's it like"...

For the most part, it's comparable to cable, because most sites aren't particularly fast. For example, my Ubuntu updates usually run at around 100 kilobytes per second.

But, transferring files across town is exactly like being on a LAN -- speeds of 11 megabytes per second over SSH.

As for the Internet, there's pretty much no quality of video that anyone's willing to stream that I can't easily handle, and I've seen torrents hit about 3 megabytes per second.

proof of concept

[yincrash]

seriously. using the 'onhover' event is considered inventive enough to call it a proof of concept?

Re:proof of concept

[immortalpob]

This is a flaw in Reddit's comment system, that allows the poster to get javascript code executed. A comment system should not allow you to use "onhover" that is the point.

Re:proof of concept

[MathFox]

It is just a reminder to programmers of public forum software how important input sanitation is.

Apparently the damage was limited to only one site... But similar hacks could be done on other vulnerable sites.

Re:proof of concept

[pjt33]

Have been. Sun's fora spring to mind.

Re:proof of concept

[Otto]

A comment system should not allow you to insert javascript code of any kind, period. How exactly did he slip this past the filters? Does reddit even have filters?

Regardless, I've added reddit.com to my blocklist. Simple immunity. :)

Re:proof of concept

[maxume]

What exactly are you worried about? The worst thing that could happen is that reddit did a poor job of closing the hole (the nasty comment has stopped spreading and is being mass deleted...) and someone could post some JS that tries to access some information of yours on another site, but the only way they will succeed is if the server side implementation of that other site is terribly flawed.

Re:proof of concept

[gzipped_tar]

Not just 'public forum software'. Every motherfucking kind of software.

Re:proof of concept

The implications of XSS vulnerabilities are much greater than you describe. Read this White paper, particularly pages 19-27 to see the implications.

Give me an unfixed XSS vulnerability on a trusted site with top secret archives of sensitive material and I can show you all sorts of mischief, including retrieval of the secret archive, administrator impersonation, password theft, phishing, page defacing, and much more. The opportunities are endless. I've seen this in recent legal documentation.

I can think of all sorts of exploits that would be specific to Reddit that could steal valuable information. I won't outline them here, as some jackass will go do them.

Re:proof of concept

[maxume]

All of those things you are listing would pretty much be limited to pages and information stored on reddit.com (things get worse if the user has ActiveX up and working in their browser), beyond that there are some irritating DOS attacks, and some resource discovery (but anyone browsing the internet with javascript turned on really better have the idea of turning off valuable resources when they are not actively using them, or even partitioning that activity). I didn't spell it out, but I did start from the presumption that the GGP didn't even have a reddit account (as they seem to be happy to block it entirely), so any of the attacks against reddit itself aren't going to be very revealing in his case.

Re:proof of concept

[fatphil]

I disagree. Input sanitation is good for protecting the application itself (reddit's server in this case). What is required is output sanitation, to protect the next recipients of the data. I have no objection to seeing people write <%74%63%73 etc. etc. on web fora - it lets me know what they're trying to do.

NoScript

[corychristison]

"NoScript FTW!" comments commencing in 3... 2... 1...

I skimmed the FAQ on the first link, and it seems reddit is responsible for not scrubbing input.

Next!

Re:NoScript

[CKW]

I love how *their* mistake causes viral problems in YOUR browser. All one needs is some sort of cross site vulnerability now and ...

Re:NoScript

[AnotherShep]

The obvious solution is that you need to get revenge. Go start a popular site for owners of popular sites so you can cause viral problems in THEIR browser.

Re:NoScript

[maxume]

You seem to have misunderstood what is going on. There isn't really a 'viral problem' in the browser, there is (was) a comment that would cause your browser to spam the server with copies of itself. So the problem is described as viral because it spreads to new users as they hover over an infected comment, but the problem is pretty well localized to reddit.com, and browser security is in no way compromised.

Re:NoScript

There's something better than noscript: quickjava. Noscript works, but it's a pain because it insists on making exceptions to what I assumed meant "absolutely no javascript until I turn it on". I don't want to think about anything, I just want to be able to turn it off/on with a single click. It also requires several annoying clicks to disable/enable javascript.

Quickjava, on the other hand, is exactly what I envisioned when I wished I could turn javascript off/on with a single click. No questions asked, no surprises, either completely on or completely off.

Re:NoScript

[RiotingPacifist]

Cue me reposting my views on noscript being a pretty crappy tool for modern web security then.

NoScript comes from a broken way of thinking, "you can identify attacking sites and trusted sites", the attack code for this was coming from reddit.com (a site you have to allow in order to use reddit). The only way this sort of bug can be protected against is by use of javascript filtering tools such as controldescripts that filter javascript request by type and domain, with such a tool it would be possible to protect yourself much more effectively.

mouseclick is submitting info -> allow
mouseover is requesting data -> allow
mouseover is submitting data -> request user confirmation
javascript function is doing something weird -> request user confirmation
javascript is trying to use a known exploit* -> deny and notify user (as a workaround for 0-days simply blocking the bad JS calls will protect users much faster than browsers usually get patched) ...etc

You could also combine this with domain checking to have lists of pages where you allow
*no-js (untrusted),
*simple-JS (google, youtube, etc) but [it might allow functionality but could prevent tracking],
*complex-js (facebook, etc) [all the ajax stuff means simple-JS wouldn't work]
*all-JS (fancynewsite.com) [even the complex list of functions you allow just isn't enough]

Such tools could also help the paranoid among us use website that require JS, by disabling mousetracking and sending of data on non-click actions.

As long as people stick to the broken thinking of trusted/untrusted domains, there is little chance of this actually happening. The worst thing about noscript is that for an unkown site you often have to allow JS on it to see what it looks like, so unless you plan on only browsing sites you've already been to and those that don't use javascript, it is completely useless yet its users claim, nay genuinely think they are more secure!

Re:NoScript

[Neoncow]

Neither me nor aedes work for reddit. We were simply reporting what was known at the time to prevent further spreading and panicking users (people were thinking they were going to get banned for spamming, worrying about loss of karma, et cetera).

The admins acted within an hour. KeyserSosa is an admin, his username is highlighted in red and has a [A] next to it.

Re:NoScript

[0123456]

The worst thing about noscript is that for an unkown site you often have to allow JS on it to see what it looks like, so unless you plan on only browsing sites you've already been to and those that don't use javascript, it is completely useless yet its users claim, nay genuinely think they are more secure!

If I go to an unknown site and it doesn't display anything useful without JS then I generally go somewhere else; if the developers are so inept that they can't make their site do something useful without it then the site is probably a heap of steaming monkey poo or a malware distributor.

Back in the real world, it's hard to see how allowing arbitrary JS to run on your system can be considered 'more secure' than only running it from sites you trust. This 'exploit' is nothing to do with insecurity, it's to do with crap programming on a trusted site.

The mere fact that we need such protection goes to show what a heap of steaming monkey poo JS is.

Re:NoScript

[RiotingPacifist]

it's hard to see how allowing arbitrary JS to run on your system can be considered 'more secure' than only running it from sites you trust.

The same way that file permissions can be considered more secure than only allowing trusted people to use your computer. At the end of the day if you want to actually browse the web you need to go outside your safe list of sites, in addition to this there is the fact that even the most trusted of sites/applications will eventually be exploited, so reducing the damage an exploited site/app can do is just common sense!

Re:NoScript

[corychristison]

I am in complete agreement with you. I was literally half asleep when I wrote what I wrote (I had just got out of bed and was about to get ready for a day at work).

I've always felt that NoScript is a band-aid solution to security.

I would use something like you suggested, and if my programming skills were competent enough, I'd probably even contribute to/start such a project. However I think that for performance reasons, it would have to be mainline within the browser and not an addon.

Re:NoScript

[Sir_Lewk]

Honestly I'm impressed you managed to post on slashdot with a policy like that. (that's saying something negative about slashdot, not your policy ;))

White hat vs Black hat

[thepooh81]

The guy who did this is clearly intelligent. Although I got hit with this yesterday all I could think about what how clever it was. Too bad he's not using his powers for good (unless you consider taking down reddit good).

What do you think stops black hats from converting? Easy money? Life outside the "norm"?

Re:White hat vs Black hat

[mcgrew]

What do you think stops black hats from converting? Easy money? Life outside the "norm"?

Sociopathy, perhaps?

Re:White hat vs Black hat

[PalmKiller]

I think you are confusing a hacker with a java script kiddie.

Re:White hat vs Black hat

[BlueKitties]

Agree'd. There's a big difference between finding an exploit in a secure system and finding an exploit in a JavaScript driven page that wasn't scrubbed. Back in the golden days, 1337 H4x used to post specially crafted HTML into a comment/post like this, because the website didn't scrub the posts. It's like SQL injection, only with HTML tags. And in this case, it's JavaScript instead of HTML.

I remember on gamefaqs.com, users used to post italic/bold tags without closures, which caused the entire remainder of the page to end up in italics/bold. Of course, these "exploits" ended up being deemed hacks, when in fact it's more or less a stupid webpage.

Re:Well, that site has a terrible design

[jDeepbeep]

WTF is reddit anyway?

Interestingly enough, the stories that end up on /. are not infrequently posted several days earlier on Reddit.

NSFW?

[mcgrew]

guyhersh from reddit.com describes the situation (warning: title NSFW)

Does anybody have a SFW link? Something like this certainly must have more than one FA.

Re:NSFW?

[leuk_he]

the faq "1) What the fuck?" might be considered NSFW?

or maybe some content that is displaye only when js is enabled, something that is not recommented on a page called javascript exploit.

Re:NSFW?

[bertoelcon]

It just says "what the fuck" in the title. Their work has to be really restrictive to have one word cause a problem.

Re:NSFW?

[BlackSabbath]

> Eye owl wise ewes a spill chucker sew eye no my spilling is core wrecked.

Hey, whadda ya know? A sig with a New Zealand accent.

(Yeah, yeah, I know, offtopic, blah, blah, mod-away...)

Re:NSFW?

[pavon]

The only thing NSFW about the link is that it says "What the fuck" in the title/url. So unless you have a really braindead tripwire at work it shouldn't be a problem.

Re:NSFW?

[Yvan256]

The only fucking thing NSFW about the link is that it fucking says "What the fuck" in the title. And if you can read my fucking comment, you can go ahead and fucking click that link.

And here's another "Fuck" just for the heck of it.

Warning: my comment was NSFW and should not have been read.

Re:NSFW?

[Rogerborg]

It's OK, the link to the article already contains the "NSFW title", so you're damned already in the eyes of your sysadmin.

Re:NSFW?

[mcgrew]

Thanks, I guess I can RTFA. That's no less SFW than slashdot. I wonder why the warning?

Re:NSFW?

[sadness203]

Because of the word fuck...
If someone lose is job on that particular title... he deserved a better job...
"OMG ... he's reading porn again ! I can see the word fuck everywhere on the server log, I must go tell the boss!"

Re:NSFW?

[BlackSabbath]

> Does anybody have a SFW link? Something like this certainly must have more than one FA.

http://mashable.com/2009/09/27/reddit-attack/

Re:NSFW?

[tehcyder]

Warning! The above post is NSFW!

Re:NSFW?

[jmorkel]

I was expecting boobies in TFA. Leaving disappointed.

Re:NSFW?

FUCK!!!

Re:NSFW?

[mcgrew]

I went to the fucking article, and there wasn't one! Just one line and a bunch of comments. WTF? No need to RTFA on this one.

Re:NSFW?

[Neoncow]

And if you did have a braindead tripwire like that, it would have jumped on the fact that fuck is in the url in the summary.

Re:NSFW?

Wardrobe malfunction alert!

    (.) (.)

Re:NSFW?

[greeze]

And here's another "Fuck" just for the heck of it.

Thank you for using "heck". That would have been the straw.

Re:Well, that site has a terrible design

[Trahald]

I'm a long time slashdotter and now spend equal time on reddit. What draws me to reddit is the spartan interface. Of course, the content on reddit is halfway between slashdot's and digg's, so I (unfortunately) have to keep coming back.

Re:Well, that site has a terrible design

[Tei]

Well.. this one was posted before on reddit. *laughts*

So.. yea.

Can anyone post the Javascript code here?, Its probabbly some boring use of ajax, but anyway...

Re:Well, that site has a terrible design

[mandark1967]

So it's like the Slashdot firehose, except people read it?

wow...

Reddit Hacks

[jDeepbeep]

This is nothing new. There is a quiet tradition of Reddit users finding the weak points of the site, like this for example.

Putting javascript:$(".up").click()() in the address bar upvotes everything on the page.

Re:Reddit Hacks

[RalphSleigh]

That's the use opting to execute extra javascript on your page, if this breaks your web site/application for more than that user then you are not doing it right. The posted hack is something much more fun.

Re:Reddit Hacks

[Chris+Pimlott]

This is not a weakness or an exploit, it's simply a javascript bookmarklet. You could make something like this for any site, such as Slashdot.

It's only an exploit if you can force other people to run that code without their consent.

Re:Reddit Hacks

which apparantly you can using onhover. Please pay more attention.

Re:Reddit Hacks

[Chris+Pimlott]

I am paying attention. The parent made it sound like it was Reddit's fault that you can run a manually bookmarklet on it.

Already fixed.

[complete+loony]

KeyserSosa Thanks for this (and thanks aedes ). I'm going to steal his idea and post here as well. We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments. This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised.

So obviously this is no longer spreading.

Re:Well, that site has a terrible design

[stoolpigeon]

And the other way around quite often.

Re:Well, that site has a terrible design

[jmnugent]

Over the years I've also spent quite a bit of time on social sites like Slashdot, Fark, Metafilter, Digg,etc.... but now spend the majority of my time on Reddit. I actually like the design (its simple, efficient and useful). But the beauty of Reddit is the organized structure of the sub-reddits. If I'm short for time, i can just quickly browse the frontpage. If I have more time, I can browse my favorite sub-reddits where people know me. The commenting system is easy on the eyes and easy to follow. and the userbase is a nice balance of attitudes.

A Good Idea

[CopaceticOpus]

Hey, everyone, there is a javascript exploit on Reddit! Click on these links to Reddit to learn more.

Incidentally, this old sock smells awful. You should smell it.

Re:A Good Idea

[prockcore]

By the time slashdot posted this story, reddit had fixed it. Which should surprise no one.

Re:A Good Idea

[Geminii]

Hold mah beer and click this!

Re:Well, that site has a terrible design

[Conspiracy_Of_Doves]

Yeah. I've been watching that Carl Sagan autotune video since last Thursday.

Re:Well, that site has a terrible design

[ais523]

No, Reddit got this story first. You'll notice that the links in the summary go to Reddit...

Myspace

[RalphSleigh]

Reminds me of a very similar worm that hit myspace years ago:

http://web.archive.org/web/20060208182348/namb.la/popular/tech.html

Same thing, find a way of executing javascript and then have it self-replicate by posting itself all over the site.

html tag to disable active content

[TheLink]

Years ago I actually proposed to the W3C and the mozilla bunch to add a tag to disable dynamic stuff like javascript.

Basically it would work something like this:

<shield lock="some_random_hard_to_guess_string_here" enabled="basic_html_only">
The browser will only recognize basic HTML stuff here, it won't recognize javascript or any _future_ dynamic stuff that the W3C or browser people think off
</shield unlock="some_random_hard_to_guess_string_here">

The some_random_hard_to_guess_string_here would be different for each page.

The idea is while the website should still have filters, even if in the future the W3C or browser wiseguys create some new fangled way of inserting javascript or some other dynamic content that the filters do not protect against (since it's new and the filters have not been updated), the browser will just ignore the new stuff that some hacker inserts when it's between the tags.

To me the current state of things is a bit crazy - basically it's like having a car with 1000 gas pedals (tags) and to stop the car you have to make sure all 1000 pedals are not pressed (escaped or filtered). There is not a single brake pedal! And worse, the W3C or MS or Mozilla or whoever could introduce a new gas pedal, and you the website operator have to filter out the new gas pedal when it's introduced.

With something like this tag there is a brake pedal, so even if you don't manage to filter out all the 1000 gas pedals, the brake helps to keep stuff safe.

If they had implemented such a tag, the google and myspace worms would not have worked for so many browsers.

FWIW, these sort of worms are not new. I managed to find a hole in advogato some years ago (iframe worm) - and hence my suggestion to the W3C and Mozilla.

But it seems to me than NONE of them are really interested in improving security. They're all just interested in inventing new gas pedals for people (and hackers) to step on. They're not even interested in creating a single brake pedal. They just pay lip service to security.

See the thing is - it's not too difficult to code a browser to go "OK from now on there's no such thing as javascript till I see a valid unlock tag", so even if there is a browser parsing bug and a hacker manages to insert javascript via a stupid browser bug (that the website filters naturally do not and cannot cater for) it does NOT matter - since javascript will be disabled - between those tags the browser will be respecting the flag that says "I do not know javascript, java and all that fancy stuff" - it does not even have to parse javascript - since for all intents and purposes between those tags, the browser does not know there's such a thing as javascript (or activex or flash etc).

This is very useful for sites that have to include 3rd party content - sites like slashdot or webmail sites or even sites that serve up ads from 3rd parties.

Re:html tag to disable active content

M0d par3nt u!P Smart way of dealing with a dumb problem - just generate a 128bit nonce for the tag on the server side, problem solved.

Re:html tag to disable active content

I don't really see how this would work. First of all, you say that websites should implement filters anyways, but if they have this tool, many will think they don't need to.

Then the web will be an even more dangerous place for browsers that don't implement this.

It really isn't all that hard to filter HTML. I don't think any standard has yet been introduced nor will be that does not use standard tags with angle brackets. So all your filter has to do is remove these tags. If you really want your users to be able to post content with tags, then *whitelist* tags and attributes, but at your own peril.

Re:html tag to disable active content

[sukotto]

So then people would first have to paste a comment "" and THEN paste the comment with the exploit code?

Re:html tag to disable active content

[harry666t]

You can't assign attributes to end tags. XML/HTML won't let you do that and extending it to be able to do so would be a bit of a revolution. Too many existing parsers rely on the current behaviour. But maybe you could possibly do something along ''' /> stuff <endshield key="lalala" />''', although I believe that'd also be a bit of a hack.

What we actually really need, and what is the real solution, is just a little more careful programming on the server side. Write a function that takes a string as an input and produces an escaped string as an output. Prove mathematically that no input shall ever produce broekn otuput. Simple.

Re:html tag to disable active content

[Timmmm]

Well that's an overly complicated and... well *wrong* way to do it. The correct solution is:

1. Escape all <'s and >'s and &'s in the input.
2. Interpret BB-code to add links & basic formatting.

Simple.

Re:html tag to disable active content

[ToastBusters]

For the love of god implement something like this. Everyone petition W3C. Currently I have to strip HTML tags from form input completely.

Re:html tag to disable active content

The correct solution is to not try to manipulate structured data using text manipulation operations on the encoded format, but to manipulate the actual data (i.e. the DOM).

The vast majority of bugs in web applications arise from people trying to generate HTML, SQL, shell commands, etc via direct string manipulation. Ad-hoc checks and escaping are a band-aid.

See also: http://xkcd.com/327/

Re:html tag to disable active content

Most of the time that will work. But never say never when cleaver hackers meet stupid coders. See the cheat sheet for more details

Re:html tag to disable active content

[JoeShmoe950]

No, the entire point is that any exploit would need to know the "unlock" code in order to operate, yet the unlock code is generated when the page is sent to the browser, long after the exploit has been submitted.

Re:html tag to disable active content

[sukotto]

strange. that showed up in the preview. let's try again:

paste a comment "</shield>"

Re:html tag to disable active content

[TheLink]

That's all very nice and simple till stuff like UTF8, UTF7, etc get involved...

See:
http://nedbatchelder.com/blog/200704/xss_with_utf7.html
http://www.securityfocus.com/bid/31183/discuss
http://ha.ckers.org/blog/20060817/variable-width-encoding/

You don't have to believe me when I tell you there are 1000 (or more) gas pedals and no brake pedal and it's a crazy situation. But that's the truth as I see it.

I daresay many of the website folks who have been burnt before will believe me. Yes you can and SHOULD use the escaping libraries out there, but you'd still be screwed the day some hacker discovers a way to exploit a browser bug or new "feature" or even an ambiguity in standards[1] that causes the browser to see things differently from what the library handles.

My memory isn't so good but I think there was even a case where a browser treated some unicode characters as "" for some reason with exploitable results.

[1] Both the browser and library could be "right" but that's no comfort to your exploited users and you.

Re:html tag to disable active content

[cyberfunkr]

There are some fundamental flaws with your proposal: HTML (javascript included) is browser-based, and how do we define "basic" HTML?

Since HTML is browser-based, everything must be transmitted to the browser and then interpreted.So your

[shield lock="some_random_hard_to_guess_string_here" enabled="basic_html_only"]

would be visible as plain text in the source code. So what's the point of a hard to guess string if it HAS to be displayed in an easy to read format?

Next, describe "basic" HTML... Obviously we can't just use some arbitrary W3C set (HTML 3.2, HTML 4.0, HTML 5.0...) as [script] has been a perfectly valid tag for a very long time. So it would then be up to the coder to create a list of available tags. And if you're just going to create a list of available commands, then you're asking HTML to behave like BB-Code. So why not just use one of the many libraries out there and use the more user-friendly (or at least less things for the end-user to understand) and widely-accepted BB-Code?

It's up to the programmer to make things safe, not adding new cumbersome commands to a language.

Re:html tag to disable active content

[TheLink]

> You can't assign attributes to end tag

I don't care how the brake pedal looks, as long as it works and is easy enough to use. There's stuff like DOM and AJAX to consider, so it might not be as simple as that, but my point is we should have at least one useful brake pedal.

> What we actually really need, and what is the real solution, is just a little more careful programming on the server side.
> Prove mathematically that no input shall ever produce broekn otuput. Simple.

That's either ironic or insightful or +5 Funny or all of the above ;).

Imagine if the whole Car Industry tells you "If you want to stop, just make sure none of the 100+ gas pedals are pressed" and it's not their problem if some of the gas pedals are located in the strangest and most unexpected places. And the Car Consortium says "Oh by the way, we're going to release a new gas pedal in 2010 - we haven't quite decided what it is, and some of the car manufacturers already have their own ideas, but be sure to take care of those as well okay?".

Well maybe I'm seeing things wrong and the W3C and browser people are right. It's just crazy old me I guess.

Re:html tag to disable active content

[Gulthek]

The proposal is that the closing tag must have an unlock code that matches the code in the starting tag. Since the code are generated when the page renders to the browser, there's really no way for the attacker to know what it will be.

Re:html tag to disable active content

[BikeHelmet]

There is not a single brake pedal! And worse, the W3C or MS or Mozilla or whoever could introduce a new gas pedal, and you the website operator have to filter out the new gas pedal when it's introduced.

Undid my mods, but I had to post this.

There used to be a break pedal. I think it was Firefox 1.5 where this code didn't evaluate any tags:

element.append(document.createTextNode(sText));

The solution, therefore, was to manually parse italic/bold/a tags, to append those elements - and then create a text node inside. A perfect working DHTML/DOM solution, properly sanitized!

However, with Firefox 3, text nodes now evaluate HTML tags. This handy function went out with eval usage for local callbacks. :/ Opera and Chrome also evaluate some(all?) tags for appended text.

Re:html tag to disable active content

that's called "".

Re:html tag to disable active content

[AusIV]

Reddit does escape all of those symbols, and they use Markdown for adding links. Still, they managed to get owned by an obscure vulnerability that was discovered only because their code is open source.

And that's the point TheLink was trying to make. It would be far simpler to tell the browser not to accept javascript in a certain block of code than it is to explore all the possible exploits that could be leveraged against your alternative markup language. There are hundreds if not thousands of places you can make mistakes, and it could be remedied by a single mechanism that prevented javascript from existing in certain blocks of code.

Re:html tag to disable active content

[TheLink]

Agh, the line: browser treated some unicode characters as ""

Should read:

browser treated some unicode characters as "<".
See this: http://cansecwest.com/csw09/csw09-weber.pdf

Forgot that Plain Old Text is not Plain Old Text in Slashdot.

Oh yeah there's also: http://www.securityfocus.com/archive/1/437948/30/0/threaded

Re:html tag to disable active content

See the much more sensible proposal that is actually being implemented.

Re:html tag to disable active content

[harry666t]

> Imagine if the whole Car Industry tells you "If you want to stop, just make
> sure none of the 100+ gas pedals are pressed" and it's not their problem if
> some of the gas pedals are located in the strangest and most unexpected places.

Except that, when you're programming, you can write one subroutine to check all the pedals at once. And, uh, put it in a library, or reuse it in any part of the program, or do a lot of other fancy shit you'd never be able to do with a car.

But it is true that the web as a platform has many problems and deficiencies. Try opening a glade file in gedit - there's no way in hell you could suddenly start seeing random widgets popping out in the editor window.

Re:html tag to disable active content

[TheLink]

And how do you know your one filter subroutine is going to see the same pedals the same way as the major browsers out there, and all the various minor versions of them, and in the various different language configurations?

I think you underestimate the problem.

You may expect the major browsers to parse everything the same way, and the same way as your escaping/filtering library from a websecurity POV.

I bet they won't.

Go check out the various links in my other posts on this article and see the joys of dealing with Unicode/UTF7/UTF8, etc.

Re:html tag to disable active content

[Lord+Ender]

How can & symbols be used to do XSS?

Re:html tag to disable active content

[TheLink]

Maybe that's a more sensible proposal.

But what's not so sensible is it's taken about 7 years since I tried to get people to do something about it:

http://markmail.org/message/pgcka6wlxgbfyep7
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html

That's a pretty long time. Oh well, maybe we'll see a brake pedal eventually. Like I said, I don't care how it looks as long as it works and is easy to use.

Heh at least I'm not a patent troll. In my experience ideas are easy - getting stuff implemented is the hard part. I'm happy if people just improved stuff faster.

p.s. Maybe it'll be another 7 years before someone actually implements something like this: https://bugs.launchpad.net/ubuntu/+bug/156693
Too bad after all the years and alleged billions all we got was UAC from Microsoft, and maybe a few sandboxed browsers.

Re:html tag to disable active content

[Timmmm]

They can't as far as I know but you still need to convert them to &amp;'s.

Re:html tag to disable active content

Or just run NoScript?

That's how IT saved the world.

[Thanshin]

Can you imagine the same people in other fields of science?

"...Hey guys, look! I made the black hole generator we were theorizing yesterday! See? I just have to press this button and

Re:That's how IT saved the world.

[Idiomatick]

This is why the engineer engineers make fun of us in software engineering. :(

Re:That's how IT saved the world.

[dotancohen]

Can you imagine the same people in other fields of science?

"...Hey guys, look! I made the black hole generator we were theorizing yesterday! See? I just have to press this button and

They keep having problems with that black hole generator, just wait until November.

Re:That's how IT saved the world.

This is why the engineer engineers make fun of us in software engineering. :(

Well as an electrical engineer, I can confirm it is one of reasons, but not the only one.;)

Re:That's how IT saved the world.

[captainClassLoader]

November-shmovember. They're only going to power the LHC up halfway. So, they'll only make half a solar-system-eating black hole. Nothing to see here, move along...

Re:That's how IT saved the world.

[Idiomatick]

It was only the one time and I was drunk! You promised not to tell anyone.

Re:Well, that site has a terrible design

[RingDev]

Come for the stories. Stay for the comments!

-Rick

if you read the posts backwards

[nimbius]

its a bunch of overly-excited people talking about an exploit until it goes away.

Re:if you read the posts backwards

[Neoncow]

It actually works the same way if you read it forwards.

ironic javascript fail

Incidentally, I went to mod this and it failed... multiple times.

Though it eventually worked, I am not impressed.

It seems that Slashdot is so horribly broken and inconsistent as to be immune to such exploits.

Re:ironic mod fail

[quercus.aeternam]

Speaking of irony...

(I confess, it was me)

Re:Well, that site has a terrible design

[Neoncow]

Almost as soon as people realized there was something strange going on, the programming subreddit started discussing the code.

http://www.reddit.com/r/programming/comments/9oobq/someone_put_a_malicious_java_script_comment_on_at/

http://www.reddit.com/r/programming/comments/9oo8j/source_code_for_the_redditfirefox_exploit/

Re:Well, that site has a terrible design

[aoni782]

The script:

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('tez="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('textarea');for(i=0;i<e.length;i++)e[i].value=z;e=o.getElementsByTagName('button');for(i=0;i<e.length;i++)if (e[i].innerHTML=='save'&&e[i].style.display!='none')$(e[i]).click();"

Oh cool! Now I can...

[argent]

Oh cool, now I can finally create the signature virus!

In a word: Crap.

If your security model is built on everyone else playing nice, you're fucked.

The problem here is in the browser allowing the hijack.

Re:In a word: Crap.

[Firehed]

No, the problem here is that Reddit didn't sanitize their inputs properly, allowing a user to make OTHER users run arbitrary code. Running Reddit-created JS is perfectly safe, and by the sounds of it this hack is far more annoying than it is dangerous.

Javascript is only a problem when a) you have a malicious webmaster, or b) you allow unknown JS (which may have been created with malicious intent) to run on your page, intentionally (ads, typically) or otherwise. Or if you're running IE6, which just means it'll be miserably slow. But you're on Slashdot, so that's not a problem.

Re:In a word: Crap.

[HeronBlademaster]

If your security model is built on everyone else playing nice, you're fucked.

The problem here is in the browser allowing the hijack.

It's not the browser here that's assuming everyone else is playing nice. It's Reddit's site. How were you modded insightful? You're just wrong.

I agree with your sentiment (that you shouldn't assume everyone else is playing nice) but blaming Reddit's problems on browsers misbehaving is like blaming potholes on cars. Sure, nobody crashes if nobody's driving, but potholes are usually caused by ice breaking up the asphalt, not by drivers driving on roads.

Let's place blame where blame is due, ok? It's not the browser's job to police what content can be posted to websites, it's the website's job.

Mod parent up

[jpmorgan]

n/t

Mod parent down

[bluej100]

The correct solution is a whitelisted HTML parser and generator, like HTML Purifier.

Re:Mod parent down

[Firehed]

Tools like that aren't foolproof, especially since browsers go out of their way to attempt to parse malformed input (unless you're serving content as application/xml, in which case the browser will just show an ugly parse error). I can't speak about that tool not having used it, but all it takes is one hacker finding yet another way to create a broken script tag that a browser will still run that they don't yet know about and all your efforts are for nothing.

I think the parent's suggestion of BBCode is safer overall, but the safest solution is to not allow users to format content at all.

Re:Mod parent down

You're essentially suggesting the same (whitelist) approach. And even those fail in the face of 'surprise' semantics (such as "javascript:" URIs inside image tags).

Re:Mod parent down

[bluej100]

You're incorrect. HTML Purifier builds a tree of the HTML it understands and allows, then outputs a clean version of that tree. If it doesn't recognize the markup, it doesn't pass it on to the browser. I'll give $20 to the first person to show me an XSS exploit in the current version of HTML Purifier that isn't the result of an overly permissive whitelist. (Disclaimer: I use HTML Purifier and submitted the patch for CSS.AllowedProperties, but am in no other way associated with the project.)

Re:Mod parent down

[bluej100]

I suppose you're correct on both counts. I don't like invented protocols with no advantages over established standards, though.

Re:Mod parent down

Is it really appropriate to mod people down just because you don't agree with what they said? Stay classy there bub...

Re:Mod parent down

[bluej100]

I don't feel his post should be modded informative, because it's recommending a practice I don't agree with. Perhaps I was being too negative, though. I wouldn't have if there hadn't already been a "mod parent up" reply.

Re:ironic mod fail

[Neoncow]

Back in the old days, there was a mod button at the bottom of the screen. You had to mod all your comments in batch.

Lower ranked comments were hidden separate "Too many comments" pages and if you clicked one of those links to read them, you would lose all your mod selections. When I got Firefox (Phoenix at the time), tabbed browsing made the process so much easier.

You have a narrow view of the problem.

[pavon]

There are many situations other than forum posting where it is desirable to include third-party content in your site. Advertisements are the first thing that jump to mind, but web widgets are also becoming popular. Having some browser markup that will limit what the third-party code can do would enable this to be done safely, without having to trust the third party or load and filter third-party content server-side.

Apps and web pages are different: maybe we need...

[wowbagger]

OK, consider this assertion:

Web pages and web applications are different, so perhaps we need a new URL type?

Consider: the original purpose of HTTP was HyperTEXT Transport protocol: a means to have linked TEXT pages. Thus, such pages were not a Turing Complete language (indeed, they weren't any form of "active" language at all, just a markup presentation layer). As such, they were simple to evaluate from a security protocol standpoint.

Since then, the web has evolved into a collection of Web pages (text, graphics, but basically NOT "active") and Web Applications (things like Google Maps).

To be an "active" page pretty much requires a Turning Complete language, and it is impossible to fully say that a Turing Complete language is "safe" (at a minimum, you cannot guarantee halting, so you have a denial of service attack if nothing else).

What if we separate the idea of a "Web Page" and a "Web Application", and put certain rules on each (web pages should not require Turing Complete behavior to operate, Web Applications should be bounded in where the fetch code from)? When the user selects a Web Application, the browser can check if the application has been cleared to run by the user previously, and if not, ask them "You have selected to run a web application 'FutzorJooMachine' from 'evilbad.example.com' - are you sure?" Ideally, the web application should provide to the browser a list of sites and components it plans on using (and the browser should ENFORCE that only those items are used).

Now, if the only difference between a Web Page and a Web Application is the MIME type, then you are going to have a hard time letting the user know when he is about to step on a mine - so what if we create a new transport type, "WATP" (Web Application Transport Protocol), which is the same as HTTP in implementation but has a different default link type, and different permissions from the browser.

That way, things that are supposed to be Web Pages (Yes, 'You Cannot Delete Messages Without Javascript'-Slashdot I am looking at you) can be constrained to a safe set of behaviors (as in NO JAVASCRIPT OF ANY FORM, INCLUDING FLASH), and the web apps can be identified as such and allowed to do what they need to do AT THE USER'S DISCRETION.

You can prove more if you want to.

Java compilers prove the type safety of the bytecode and the runtime verifies the proof before it runs. Depending on the amount of work you want to do, you can prove just about any property about a specific program, and require any arbitrary program you want to use to provide its own proof of safety/correctness that can be formally verified before you run it.

Re:Apps and web pages are different: maybe we need

[HeronBlademaster]

While it's an interesting idea, it has one fatal problem: most end-users don't understand what the browser presents to them, and they'll just do whatever necessary to make it go away. This even applies to a large percentage of otherwise tech-savvy people. The end result will be people allowing everything, because surely their cousin Steve wouldn't send them a malicious link?

Easier: a simple regex will strip it all.

Three simple regexes will solve all xss exploits on a page submission:

$submission=preg_replace('/on(\w)=/' , 'on<span style="display:none"> this is not an event </span>${1}=', $submission);
$submission=preg_replace('/javascript/' , 'j<span style="display:none"> this is not js </span>avascript', $submission);
$submission=preg_replace('/<object/' , '&lt;object', $submission);

It can result in invalid, funny looking html, but the idea is to have a backstop after your other striptags / stripattributes functions. Run these two lines just before saving the submission and you have no worries.

Well put, & agreed, 110% (& blacklist bogu

"For me, the solution is to just whitelist the sites I visit frequently, only allowing scripts/cookies when I know they can be trusted." - by Anonymous Coward on Monday September 28, @10:21AM (#29565353)

See subject-line, because you have hit it right on the head perfectly as far as I am concerned personally. Opera makes this the easiest to do, imo @ least, via first GLOBALLY disabling javascript on all sites (via the tools menu, preferences option, advanced tab, content item OR via tools quick preferences).

Then, I 'whitelist' (allow) a site to use javascript, when I cannot use said site without javascript (done via right-clicking on the page itself, & using the popup menu & the item entitled "Edit Site Preferences"... thus, allowing it to use javascript (& only it or others I do this for).

This cuts WAY down on the possibles of WHERE I may have gotten infested (I never really do though, because I use a HOSTS file that is kept up to date weekly if not daily, from reputable sources such as -> SpyBot "Search & Destroy" via its "immunize" feature, ZDNet's Mr. Dancho Danchev's blogspot here -> http://ddanchev.blogspot.com/ & also SRI, here -> http://mtc.sri.com/ as well as other reputable & kept-up-to-date HOSTS files listed here @ wikipedia -> http://en.wikipedia.org/wiki/Hosts_file

APK

P.S.=> It works, & I haven't been infected/infested in more than a DECADE++ because of this practice... apk

Re:Apps and web pages are different: maybe we need

So we'll take HTTP and _call_ it WATP, then make everything that has _nothing_ to do with transport protocols behave differently. And it'll save the world.

Are you from Marketing, perchance?

onmouseover is an exploit?

[dgun]

Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it.

javascript pseudo protocol

Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript.

lol. He proved it huh? It's called onmouseover and you could use it to do whatever you like with javascript, same as onclick or any other event.

He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

What he did was take advantage of a flaw in Reddit's comment system. This is not a 'javascript exploit'.