CentOS - Jun 2009 - XSS (was Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....)

Bob Hoffman wrote:

 > Since each install uses the same pages basically, it is easy for a 
autobot
 > to find them all and zero day your forums, xss your whatever, and so on.
 >
 > Dang scary to leave JS on at all....even though you basically have too.

Mozilla is beginning to address this issue with Content Security Policy

-=-
http://people.mozilla.org/~bsterne/content-security-policy/
-=-

CSP will require pro-active webmasters who use it and browsers that 
enforce the client side enforcement, but it's a step in the right direction.

I wrote a php class that partially implements CSP server side as an 
output filter

-=-
http://www.clfsrpm.net/xss/
-=-

It's DOMDocument based and thus requires the php xml stuff, I've only 
tested it under php 5.2.9 but it should work in 5.x.

The class does have some limitations, namely the document must be fully 
constructed and sent through the class before any of it is sent to the 
browser so web apps that do a lot of echo() and print() have to be 
re-written to not send anything until the page is fully constructed, and 
I've also found it has performance issues on complex pages with a lot of 
nodes, so for those kinds of pages I just create the page with the 
dynamic content first, send it through the filter, then create the nodes 
for static content I know is clean and use DOMDocument facilities to add 
those nodes before outputing the page to the client.

It's not possible to completely implement CSP server side, but the class 
will catch most violations of a CSP policy and thus give some protection 
to users who are not running a CSP aware web browser.

Another gotcha with the class, it seems importHTML() is not mb safe so 
if using importHTML() to get the document into a DOMDocument object for 
filtering, and the document contains any multi-byte characters, it seems 
libxml2 will encode them and there seems to be no way to stop it from 
doing it (at least with the php wrapper to libxml2). However if the 
document to be filtered is xhtml, you can use importXML() on it libxml2 
does the right thing in leaving the mb characters alone. Once filtered, 
you can use saveHTML() to produce html instead of xhtml for browser 
compatibility, it seems saveHTML() is mb safe.