[Owasp-antisamy] is there an XSS risk with the target attributeon <a href>?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Aug 6 21:11:20 EDT 2008


Eric,
 
Jason is right on all points. If you would like help adding it to your policy file, let us know and we can get you a customized version of your policy file, or just some XML snippets.
 
Cheers,
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Jason Li
Sent: Wed 8/6/2008 1:38 PM
To: Eric Kreiser
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] is there an XSS risk with the target attributeon <a href>?



Eric,

Arshan may be able to provide some more insight into this policy when
he gets back, but here are my thoughts on the subject.

I'm not personally aware of any XSS attacks that can occur from the
target attribute, but if an attacker could hijack the target
attribute, they can influence the appearance of an application that
uses a lot of named popups.

This situation is similar to the reason why absolute positioning in
CSS and the base tag are scrubbed out by the default policy and why we
provide a way to blacklist specific selector names or identifiers.
While there is no direct XSS vulnerability in these three cases,
AntiSamy is meant to make rich content safe in a variety of contexts
including preventing modification of the appearance of the underlying
site. Such modifications can be used to launch phishing attacks
against unsuspecting users.

I suspect the concern is that by allowing the target attribute in the
anchor tag, user generated content could influence the underlying
site's organization of named popups or frames and this is why the
default policy is to scrub this attribute.

Hope that helps!
--
-Jason Li-
-li.jason.c at gmail.com-



On Wed, Aug 6, 2008 at 1:11 PM, Eric Kreiser <ekreiser at mzinga.com> wrote:
> Any thoughts on the subject???
>
>
> Eric Kreiser wrote:
>
> all of the base policy files seem to scrub it out.
>
> what is the risk of allowing a target attribute?
>
> thanks in advance for any help you can give me
> Eric Kreiser
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
>
> --
>
> Eric S. Kreiser
> Senior Software Architect
>
> Mzinga
> 5095 Ritter Road * Mechanicsburg, PA  17055
> ---------------------------------------------------
> Call my office: 717.458.9804
> Fax me: 717.790.0401
> Email me: ekreiser at mzinga.com
> Learn more: http://mzinga.com/v/ekreiser/
> Toll Free: 800.869.5763
>
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080806/b9aa38e6/attachment.html 


More information about the Owasp-antisamy mailing list