[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Jun 13 14:25:52 EDT 2008


Maybe the malware blacklist API is reasonable, but otherwise I'd like to
stay out of the integrator's hair. Every other link on Slashdot is
goatse, and that's than malware, so I don't think they really care. =]

 

Arshan

 

From: Jim Manico [mailto:jim at manico.net] 
Sent: Friday, June 13, 2008 2:22 AM
To: Arshan Dabirsiaghi; Carlos Aguayo; owasp-antisamy at lists.owasp.org
Subject: RE: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
withparameters

 

IMO, AntiSamy should not allow all arbitrary urls. There should at least
be hooks to verify urls through malware blacklists like Google's malware
blacklist API provides. I would suspect that Slashdot is doing something
like this already.

- Jim



________________________________

From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Sent: Thursday, June 12, 2008 6:57 AM
To: Carlos Aguayo <carlos.aguayo at gmail.com>;
owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
withparameters

There are two reasons why we allow arbitrary HTTP URLs:

1.	It's the Slashdot policy file, so we do exactly what Slashdot
does.

2.	That is the point of AntiSamy in general: to allow rich input.

You can lock down a policy file as much as you want, but the more you
lock it down, the less useful it is to your users. If you prevent URL
parameters from being in a URL, users can't put up a link to a CNN
article, or their profile page on a social network, etc.

Hope that helps.

Cheers,
Arshan

 

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
Sent: Thu 6/12/2008 11:35 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
withparameters

Hi,
By default both onsiteURL and offsiteURL accept url with parameters,
for example, the following link:

<a href="http://mysite.com?first=12345&second=34567
<http://mysite.com/?first=12345&second=34567> ">click here</a>

would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
an attacked shouldn't be able to dynamically craft th



[The entire original message is not included]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080613/d7525425/attachment.html 


More information about the Owasp-antisamy mailing list