[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters
jim at manico.net
Mon Jun 23 00:36:31 EDT 2008
> it's impossible to verify the URLs in a useful way
With all due respect, I do not agree with this conjecture. Remember, we
are talking defense in depth. Some use cases where URL verification
1) Intranet applications where use driven URL's should be intranet url's
only (whitelist verification style)
2) Running url's through known malware blacklists using the Google
malware url api http://code.google.com/apis/safebrowsing/ (blacklist style)
3) Allowing URL's to only be a certain content type (no links to .exe
And of course there are ways around these projections - this is just one
useful defense-in-depth layer of protection.
I'm also not saying that AntiSamy needs to do any of this, but I think
AntiSamy should *at least provide the hook* so developers can choose to
do so if they like.
> I had a brain fart during this discussion - it's impossible to verify
> the URLs in a useful way. We already decided this this out when opting
> to only allow the "importing" of remote stylesheets. The attacker can
> obviously control the remote data, so it's simple for them to host
> innocent data during initial validation, then replace it with
> malware/goatse afterwards.
> -----Original Message-----
> From: Jim Manico [mailto:jim at manico.net]
> Sent: Fri 6/13/2008 2:22 AM
> To: Arshan Dabirsiaghi; Carlos Aguayo; owasp-antisamy at lists.owasp.org
> Subject: RE: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
> IMO, AntiSamy should not allow all arbitrary urls. There should at
> least be hooks to verify urls through malware blacklists like Google's
> malware blacklist API provides. I would suspect that Slashdot is doing
> something like this already.
> - Jim
> -----Original Message-----
> From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
> Sent: Thursday, June 12, 2008 6:57 AM
> To: Carlos Aguayo <carlos.aguayo at gmail.com>;
> owasp-antisamy at lists.owasp.org
> Subject: Re: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
> There are two reasons why we allow arbitrary HTTP URLs:
> It's the Slashdot policy file, so we do exactly what Slashdot does.
> That is the point of AntiSamy in general: to allow rich input.
> You can lock down a policy file as much as you want, but the more you
> lock it down, the less useful it is to your users. If you prevent URL
> parameters from being in a URL, users can't put up a link to a CNN
> article, or their profile page on a social network, etc.
> Hope that helps.
> From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
> Sent: Thu 6/12/2008 11:35 AM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls
> By default both onsiteURL and offsiteURL accept url with parameters,
> for example, the following link:
> <a href="http://mysite.com?first=12345&second=34567
> <http://mysite.com?first=12345&second=34567>">click here</a>
> would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
> an attacked shouldn't be able to dynamically craft th
> [The entire original message is not included]
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)
Securing your applications at the source
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy