Bob Hoffman wrote:
Since each install uses the same pages basically, it is easy for a
autobot
to find them all and zero day your forums, xss your whatever, and so on.
Dang scary to leave JS on at all....even though you basically have too.
Mozilla is beginning to address this issue with Content Security Policy
-=- http://people.mozilla.org/~bsterne/content-security-policy/ -=-
CSP will require pro-active webmasters who use it and browsers that enforce the client side enforcement, but it's a step in the right direction.
I wrote a php class that partially implements CSP server side as an output filter
-=- http://www.clfsrpm.net/xss/ -=-
It's DOMDocument based and thus requires the php xml stuff, I've only tested it under php 5.2.9 but it should work in 5.x.
The class does have some limitations, namely the document must be fully constructed and sent through the class before any of it is sent to the browser so web apps that do a lot of echo() and print() have to be re-written to not send anything until the page is fully constructed, and I've also found it has performance issues on complex pages with a lot of nodes, so for those kinds of pages I just create the page with the dynamic content first, send it through the filter, then create the nodes for static content I know is clean and use DOMDocument facilities to add those nodes before outputing the page to the client.
It's not possible to completely implement CSP server side, but the class will catch most violations of a CSP policy and thus give some protection to users who are not running a CSP aware web browser.
Another gotcha with the class, it seems importHTML() is not mb safe so if using importHTML() to get the document into a DOMDocument object for filtering, and the document contains any multi-byte characters, it seems libxml2 will encode them and there seems to be no way to stop it from doing it (at least with the php wrapper to libxml2). However if the document to be filtered is xhtml, you can use importXML() on it libxml2 does the right thing in leaving the mb characters alone. Once filtered, you can use saveHTML() to produce html instead of xhtml for browser compatibility, it seems saveHTML() is mb safe.
-
Michael A. Peters