[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters
arshan.dabirsiaghi at aspectsecurity.com
Sun Jun 22 22:48:22 EDT 2008
I had a brain fart during this discussion - it's impossible to verify the URLs in a useful way. We already decided this this out when opting to only allow the "importing" of remote stylesheets. The attacker can obviously control the remote data, so it's simple for them to host innocent data during initial validation, then replace it with malware/goatse afterwards.
From: Jim Manico [mailto:jim at manico.net]
Sent: Fri 6/13/2008 2:22 AM
To: Arshan Dabirsiaghi; Carlos Aguayo; owasp-antisamy at lists.owasp.org
Subject: RE: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters
IMO, AntiSamy should not allow all arbitrary urls. There should at least be hooks to verify urls through malware blacklists like Google's malware blacklist API provides. I would suspect that Slashdot is doing something like this already.
From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Sent: Thursday, June 12, 2008 6:57 AM
To: Carlos Aguayo <carlos.aguayo at gmail.com>; owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters
There are two reasons why we allow arbitrary HTTP URLs:
It's the Slashdot policy file, so we do exactly what Slashdot does.
That is the point of AntiSamy in general: to allow rich input.
You can lock down a policy file as much as you want, but the more you lock it down, the less useful it is to your users. If you prevent URL parameters from being in a URL, users can't put up a link to a CNN article, or their profile page on a social network, etc.
Hope that helps.
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
Sent: Thu 6/12/2008 11:35 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters
By default both onsiteURL and offsiteURL accept url with parameters,
for example, the following link:
<a href="http://mysite.com?first=12345&second=34567">click here</a>
would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
an attacked shouldn't be able to dynamically craft th
[The entire original message is not included]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy