[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

Jim Manico jim at manico.net
Mon Jun 23 00:36:31 EDT 2008


 >  it's impossible to verify the URLs in a useful way

With all due respect, I do not agree with this conjecture. Remember, we 
are talking defense in depth. Some use cases where URL verification 
seems useful:

1) Intranet applications where use driven URL's should be intranet url's 
only (whitelist verification style)
2) Running url's through known malware blacklists using the Google 
malware url api http://code.google.com/apis/safebrowsing/ (blacklist style)
3) Allowing URL's to only be a certain content type (no links to .exe 
file, etc)

And of course there are ways around these projections - this is just one 
useful defense-in-depth layer of protection.

I'm also not saying that AntiSamy needs to do any of this, but I think 
AntiSamy should *at least provide the hook* so developers can choose to 
do so if they like.

- Jim


> I had a brain fart during this discussion - it's impossible to verify 
> the URLs in a useful way. We already decided this this out when opting 
> to only allow the "importing" of remote stylesheets. The attacker can 
> obviously control the remote data, so it's simple for them to host 
> innocent data during initial validation, then replace it with  
> malware/goatse afterwards.
>
> Cheers,
> Arshan
>
> -----Original Message-----
> From: Jim Manico [mailto:jim at manico.net]
> Sent: Fri 6/13/2008 2:22 AM
> To: Arshan Dabirsiaghi; Carlos Aguayo; owasp-antisamy at lists.owasp.org
> Subject: RE: [Owasp-antisamy] onsiteURL and offsiteURL accept urls 
> withparameters
>
> IMO, AntiSamy should not allow all arbitrary urls. There should at 
> least be hooks to verify urls through malware blacklists like Google's 
> malware blacklist API provides. I would suspect that Slashdot is doing 
> something like this already.
>
> - Jim
>
>
> -----Original Message-----
> From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
> Sent: Thursday, June 12, 2008 6:57 AM
> To: Carlos Aguayo <carlos.aguayo at gmail.com>; 
> owasp-antisamy at lists.owasp.org
> Subject: Re: [Owasp-antisamy] onsiteURL and offsiteURL accept urls 
> withparameters
>
> There are two reasons why we allow arbitrary HTTP URLs:
> It's the Slashdot policy file, so we do exactly what Slashdot does.
> That is the point of AntiSamy in general: to allow rich input.
> You can lock down a policy file as much as you want, but the more you 
> lock it down, the less useful it is to your users. If you prevent URL 
> parameters from being in a URL, users can't put up a link to a CNN 
> article, or their profile page on a social network, etc.
> Hope that helps.
> Cheers,
> Arshan
>
> From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
> Sent: Thu 6/12/2008 11:35 AM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls 
> withparameters
>
> Hi,
> By default both onsiteURL and offsiteURL accept url with parameters,
> for example, the following link:
>
> <a href="http://mysite.com?first=12345&second=34567 
> <http://mysite.com?first=12345&second=34567>">click here</a>
>
> would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
> an attacked shouldn't be able to dynamically craft th
>
> [The entire original message is not included]
>


-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080622/189f1348/attachment.html 


More information about the Owasp-antisamy mailing list