[Catalyst] Picking template type based on input

Bill Moseley moseley at hank.org
Sat Mar 27 15:09:49 GMT 2010 

Hi,

Sorry, I'm having a hard time understanding what you wrote below.  Do you
have a specific attack vector you are concerned with or just a general
concern to protect against cross site scripting?

Perhaps you could provide a specific example or link to an example we can
review if it's something specific.
Maybe someone else can respond if you have a specific attack in question.

If it's a general concern then the answer is you make safe all user data
that is reflected back to the user or any other users.

Other comments below:


On Fri, Mar 26, 2010 at 3:52 PM, Jon mailinglists <jon.mlist at gmail.com>wrot=
e:

> User data for instance, say I have an application which is password
> protected and I'm using the Authenticate/Authorize model coming with
> Catalyst. I then protect the user data with a session cookie making
> sure $c->user->address is shown and editable by the logged in user
> (based on the thought that only the user can send me the cookie).
>

Untangling that, I think you are concerned that a user could modify their
"address" and have it reflected (displayed) back to them.  And if that
"address" is not correctly sanitized (escaped) then there's risk of cross
site scripting.   Is that correct?

The general answer there is, again, never reflect user-entered data without
escaping.


> How do I protect that from another site with another tab? YUI.Get
> allows cross site requests, I haven't looked in too deep into it but
> when I take the url I see the javascript requests in gmail does and
> put it in a small YUI snippet will I get all my mail:
>
> https://mail.google.com/mail/?ui=3D2&ik=3Da_secret_token_or_my_id&view=3D=
tl&start=3D0&num=3D70&rt=3Dh&search=3Ddrafts&zx=3Da_secret_token_or_my_id


Lost me there.  What is your concern with another tab?  Browser should not
allow one tab to run script in the context of another tab.

>From what I understand, YUI.Get simply allows dynamically fetching content
from third-party sites (just like you can with markup in your page).  That's
not a security risk itself, unless you are fetching from an untrusted
third-party site.

You would have to add the YUI.Get code in the first place to your own page
so it's not really cross site scripting if it's your own script that is
running.

Sorry, I don't understand your last half a sentence about gmail.  (Although,
I've often wondered about their auth mechanism.)

 <...>

And again, I'm no security expert and this with javascript/browser

lack of security is fairly new to me so I'm not at all betting my

dirty undies that I'm correct. I'd be a lot happier if I'm not since

this would add a lot of hassle.


I'm not a security expert, either.  This may be the wrong list for security
experts.

But, in general, off the top of my head the standard recommendations
include:

   - Use cookies for your auth token.  Avoid more complex schemes for
   passing tokens around.
   - Use SSL if your site needs to protect private data and user confidence.
   - Change session ids upon authorization or switch to SSL.
   - Use secure cookies (only returned over SSL).
   - Use HttpOnly cookies (prevents cookie access in most clients).
   - Escape all reflected user data.
   - Avoid creating pages that allow users to enter (and reflect) markup.

I'm sure there's others that people here can recommend.


-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20100327/ecad6=
909/attachment.htm

More information about the Catalyst mailing list