[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Brian Eaton eaton.lists at gmail.com
Tue Jun 27 13:38:35 EDT 2006


On 6/26/06, RSnake <rsnake at shocking.com> wrote:
> I post a blog and want to embed a youtube movie.  It
> would (or should anyway) break due to the fact that you have not opened
> your site to youtube.com.  Opening it has obviously bad implications,
> and closing it means I can't embed the movie remotely.  Tough choice!

Not quite, the system I'm talking about would only specify policy for
incoming links.  Outgoing links would be completely uncontrolled.  If
you posted a link on ha.ckers.org to youtube.com, the browser would
check youtube.com/cslpolicy.xml to see whether it should follow the
link.  Since youtube.com is all about accepting links from arbitrary
places, I'm sure their CSL policy would allow that.

OTOH, let's say that someone on www.malicious.com wanted to link to
ha.ckers.org.  You probably want to allow links from www.malicious.com
to most of your pages, but probably not to the scripts that actually
make changes to the site, e.g. the comment submission scripts.  Just
for kicks, I poked around ha.ckers.org a bit to see what a CSL policy
might look like.  How about this:

Destination: http://ha.ckers.org/blog/wp-comments-post*
Allowed sources: http://ha.ckers.org/blog/*/*
Reasoning: nobody but you has any business writing a form that submits
comments to your blog.

Destination: http://ha.ckers.org/**
Allowed sources: *
Reasoning: most of your content is public, and you want people to be
able to link to it.

To be honest, I don't much like that policy.  It's enumerating
badness.  And it's just aching for dual interpretation bugs, where the
browser doesn't recognize that a request is going to wp-comments-post,
but your web server does.  But maybe for a public access web site that
is as good as it gets.

>         One last comment, the size of these CSL pages has to stay
> relatively small for our poor bandwidth constrained modem users, or it
> will never get adopted globally.

True.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list