The Artima Developer Community
Sponsored Link

Weblogs Forum
You are Under Attack

13 replies on 1 page. Most recent reply: Mar 30, 2004 2:13 PM by hackrobat

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 13 replies on 1 page
Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

You are Under Attack (View in Weblogs)
Posted: Feb 25, 2004 1:30 PM
Reply to this message Reply
Summary
XSS has been around for a long time, but the current appetite for weblogs opens up new opportunities for attackers.
Advertisement

The idea is simple: a web site allows users to enter content. Somehow, the third party content gets embedded in an HTML page at the server before it is sent out to other users. Lots of sites rely on this principle: Amazon, eBay, Yahoo Groups and, of course, web logs.

What happens if the posted content contains a script? Well, you may have seen what happens: the script gets executed on your machine. My script is innocent enough: it just pops up a notification. But these scripts can be really vicious. Gathering private data and posting it to the attacker's site is an old favorite.
The security conscious configure their browser not to execute scripts. I would heartily recommend you try that, but, if your browsing behavior is similar to mine, you will probably end up turning them back on as so many web sites rely on them. That includes sites you would expect to take security seriously. For example, I found that one of the banking applications I use relied on scripts. So users by and large allow scripts and implicitly trust the web sites they visit. This is what makes cross-site scripting or XSS so insidious: the visited web site does not control the script.

Actually, there are some things that the hosting site can and should do: it should validate the content posted and reject scripts. I believe this is now done by some of the large eCommerce sites. But the blogging arena is a fertile new ground for this old flower to blossom again.
I believe Artima's web logs are not a risk in this respect as there is a personal trust relationship between Bill Venners, Artima's owner, and the bloggers. Not so for many of the weblog hosts out there.
Still, I think that Bill should get this fixed and disallow posts that contain scripts. I can lend you a hand if you want, Bill.


Bill Venners

Posts: 2242
Nickname: bv
Registered: Jan, 2002

Re: You are Under Attack Posted: Feb 25, 2004 3:26 PM
Reply to this message Reply
Never trust a guy who wears dark sunglasses in his blogger photo.

Actually, what you have exploited is a feature. I do trust Artima bloggers to use the ability to post scripts responsibly, as I think you have done so in this very weblog post. On the other hand, I don't trust the general registered masses to the extent I trust bloggers, so I don't allow scripts or any HTML at all in posts to the Artima Forums. Try typing your script into this forum and you'll see it doesn't get through.

One place I have been concerned about is Buzz and News, which posts content read from RSS feeds. Some of the posts in Buzz have indeed discussed the same scripting issue coming from RSS feeds, and that alerted me to the issue with RSS content. I plan to do some more cleansing of the HTML I grab from RSS items, but haven't done so yet.

Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Re: You are Under Attack Posted: Feb 25, 2004 4:00 PM
Reply to this message Reply
I meant to ask you how to get that picture changed :-)

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: You are Under Attack Posted: Feb 25, 2004 4:15 PM
Reply to this message Reply
> I meant to ask you how to get that picture changed :-)

You should be able to insert a little script that shows a different photo every time! ;-)

hackrobat

Posts: 14
Nickname: hackrobat
Registered: Jul, 2003

Re: You are Under Attack Posted: Feb 26, 2004 11:00 AM
Reply to this message Reply
I've said it:
http://www.livejournal.com/~mannu/111862.html

Bill Venners

Posts: 2242
Nickname: bv
Registered: Jan, 2002

Re: You are Under Attack Posted: Feb 27, 2004 4:05 AM
Reply to this message Reply
> I've said it:
> http://www.livejournal.com/~mannu/111862.html

I see what you said was:

If you allow users to edit the content of your website, exercise strict control over it. See how Slashdot does user comments. See UseMod's text formatting rules. You don't want users to be able to inject malicious JavaScript code into your website. As much as possible, limit user contributions to plain text. Plain text rules.

That's actually what I originally did with the Artima weblogs. Originally, blog posts were typed in with the same square bracket markup you can use for the Artima Forums. But of course the bloggers wanted more. They wanted to be able to do lists, and images, and tables, and embedded hyperlinks. And I felt all those were very reasonable requests. So the original bloggers and I had a rather long discussion on our mailing list of what the syntax should look like. But it frankly it quickly started looking very ugly. Eventually, Guido van Rossum suggested that whatever I decide, it should either be a standard or very simple. He hinted that our syntax was quickly leaving "simple" behind, and he was right. That's when I decided to just make it HTML to start with, because that's a standard. The other contender was reStructured Text, which is popular in the Python community. I do want eventually to allow bloggers to have the choice of typing their posts in either HTML or reST, but as of now its HTML.

It really came down to a question of trust. I was ending up needing to do a lot of work to create a safer blog input format than HTML, and it was getting ugly to look at and complicated to learn. And I just decided I didn't need that degree of safety, that I trust the bloggers. If a blogger comes along and abuses that freedom, I'll remove the post. And if they continue to be malicious in subsequent posts, I can remove their blog. That approach has worked fine at Artima.

The funny thing about JavaScript is that not only was concerned about it being abused, I also couldn't think of any reasonable need to put JavaScript in a weblog post. But Johan Peeters found a use for it, as an illustration in a blog post about this issue of how to let people post content to a website. It is the very first pop-up that has ever been at Artima, and it is a good use for JavaScript that I never imagined. It reminded me of this week's interview with Bjarne Stroustrup, when he said, "When you design in terms of lists of features or lists of alternatives, you never get the design quite right. There always turns out to be just one more case, or one less." Basically, I didn't support only the list of features I imagined bloggers would need -- paragraphs, bold, italics, images, hyperlinks, and so on -- I just said use HTML however you want to use it. And that allowed Johan to use his blog in a way I hadn't imagined.

Now on the other hand, I think typing in HTML is a pain. What I think would really be nice is a nice what you see is what you get tool that bloggers could use to compose their posts. I would actually like to write such a tool as well, but not for safety concerns so they can't type in nasty attack scripts. I would like to do it to make posting to an Artima weblog an easier and more pleasant user experience.

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: You are Under Attack Posted: Feb 27, 2004 10:43 AM
Reply to this message Reply
Wait a minute. This fear-mongering is getting out of hand. Since when is a JavaScript alert "malicious"? JavaScript runs in a limited sandbox on the client, just like Java applets, does it not? Do you know of any exploits? If you can write a JavaScript that will modify or even read a file on the clients machine, I'd like to see it. In fact, I'd be interested in one that can simply copy some text to the clipboard.

The worst thing I've seen done with JavaScripts is popups and pop-unders -- and the Google toolbar solves that problem, while allowing you to keep JavaScript enabled. Before I started using that thing, I always had my JavaScript option set to "prompt" rather than a blanket on or off. That could be a little annoying, but lets you see and control when JavaScript is executed.

Anyway, if you are worried about JavaScript, then you don't need to throw out the proverial baby, you just need to pre-process the blogs and strip it out and everything can stay in html format. After all it is quite easy to parse the script tag in html.

However, I think JavaScript is not that dangerous, particularly in this case, where only the hand-chosen bloggers can use it and they can't do it anonymously.

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: You are Under Attack Posted: Feb 27, 2004 10:46 AM
Reply to this message Reply
Just to further point out that only the the original blogger could add the script, I did a "quote original" in this reply to demonstrate that the JavaScript has be eviscerated:

<script defer>alert("You are under attack by a poster!")</script>

See? All you get is text, not another alert.

Bill Venners

Posts: 2242
Nickname: bv
Registered: Jan, 2002

Re: You are Under Attack Posted: Feb 27, 2004 3:25 PM
Reply to this message Reply
> Wait a minute. This fear-mongering is getting out of
> hand. Since when is a JavaScript alert "malicious"?
> JavaScript runs in a limited sandbox on the client,
> nt, just like Java applets, does it not? Do you know of
> any exploits? If you can write a JavaScript that will
> modify or even read a file on the clients machine, I'd
> like to see it. In fact, I'd be interested in one that
> can simply copy some text to the clipboard.
>
I don't know about JavaScript's sandbox, but you could use JavaScript to do a redirect to another website, for example. It could be a porn site or a hate site--something people aren't expecting when they only wanted to read a thoughtful and interesting discourse on JavaScript security.

Another thing I actually do is strip out anything but text from the titles and summaries of weblog posts. So you can't get any JavaScript on Artima's home page by posting to your blog, or in the RSS feed. It is only the body of the weblog post that is open to everything, including JavaScript, Java applets, flash animations, ActiveX controls if those still exist. If you give ActiveX controls or Java applets full access to your system, they could wreak havoc. But last I heard there had not been a single actual occurrance of this kind of attack that has happened in practice.

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: You are Under Attack Posted: Feb 27, 2004 4:47 PM
Reply to this message Reply
> I don't know about JavaScript's sandbox, but you could use
> JavaScript to do a redirect to another website, for
> example.

You don't need JavaScript for that, all you need is something simple like this:

<meta http-equiv="REFRESH" content="3; URL=http://www.google.com/">

Tim Vernum

Posts: 58
Nickname: tpv
Registered: Dec, 2002

Re: You are Under Attack Posted: Feb 29, 2004 10:31 PM
Reply to this message Reply
> You don't need JavaScript for that, all you need is
> something simple like this:
>
> <meta http-equiv="REFRESH" content="3;&gt; URL=http://www.google.com/">

But META elements are supposed to be children of the <HEAD> element.

Very few sites let you embed user content directly into the <HEAD>, although I suspect a lot of them could do that with some creative use of titles - e.g. set the title to

</title><meta http-equiv="REFRESH" content="3; URL=http://www.google.com/">

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: You are Under Attack Posted: Mar 1, 2004 1:32 PM
Reply to this message Reply
> But META elements are supposed to be children of the
> <HEAD> element.
>
> Very few sites let you embed user content directly into
> the <HEAD>, although I suspect a lot of them could do that
> with some creative use of titles - e.g. set the title to
>

> </title><meta http-equiv="REFRESH" content="3;
> URL=http://www.google.com/">
>


You don't even have to get that creative: Just put it in the body and it works for IE. Opera is not fooled. I haven't tried any others, but since Microsoft (by innovation alone, no less!) was able to capture most of the browser market, that's already a pretty large number of browsers.

Steve Holden

Posts: 42
Nickname: holdenweb
Registered: Apr, 2003

Re: You are Under Attack Posted: Mar 30, 2004 1:25 PM
Reply to this message Reply
Can we say "Cross-site scripting"? It's very dangerous to allow uncontrolled user-created scripting, as many exploits have shown.

hackrobat

Posts: 14
Nickname: hackrobat
Registered: Jul, 2003

Re: You are Under Attack Posted: Mar 30, 2004 2:13 PM
Reply to this message Reply
> Now on the other hand, I think typing in HTML is a pain.

It's a pain, and it's prone to errors.

> What I think would really be nice is a nice what you see
> is what you get tool that bloggers could use to compose
> their posts.

Considering we're a decade into the Web, we should have had many tools like this widely deployed by now. Too bad we still write HTML by hand--not something Tim Berners-Lee had imagined.

Blogger.com has a point-and-click interface for composing posts--and it doesn't quite cut it (IMHO). LiveJournal.com has something much better but for IE users only.

Flat View: This topic has 13 replies on 1 page
Topic: The Crazy World of Telecommunications Charges Previous Topic   Next Topic Topic: The Seventh Jini Community Meeting (Final)


Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2014 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use - Advertise with Us