[Owasp-antisamy] Owasp-antisamy Digest, Vol 18, Issue 10

Jason Copp jason at singsnap.com
Tue May 26 15:49:50 EDT 2009


Great point on the embed / object. This is preventable by setting
allowscriptaccess to never. I replace all occurances of allowscriptaccess
with garbage, and inject allowscriptaccess = "never" for every object /
embed tag.

It's not perfect, but its a balance.

On Tue, May 26, 2009 at 3:01 PM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

>  The param being swallowed, if it's allowed in your policy file,
> represents a bug. It might be a regression for the recent "formjacking" type
> of attack we tried to prevent.
>
> Did I miss an email that had some example strings? I'd like to be able look
> at what's happening here.
>
> Also, it should be noted that allowing arbitrary <embed> content is
> essentially the same as allowing <script> content. You can use the embed tag
> to import malicious Flash that executes arbitrary JavaScript, or use the
> data scheme to execute JavaScript directly [1].
>
> Arshan
>
> [1] http://ha.ckers.org/xss.html
>
>
> ------------------------------
> *From:* owasp-antisamy-bounces at lists.owasp.org on behalf of Jason Copp
> *Sent:* Tue 5/26/2009 2:40 PM
> *To:* Andrew Grosset
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* Re: [Owasp-antisamy] Owasp-antisamy Digest, Vol 18, Issue 10
>
> That is nearly my exact work-around, but now I've found that antisamy barks
> up the CSS that myspace css generators make, so it mustn't be 100%
> compatible. We fully allow object and embed, and style sheets, etc, just
> like myspace, so I am going with a blacklist for now. We use additional
> behind the scenes protection for the main concern (cookie hijacking) and
> must balance security with expectations, as always.
>
> Thanks though,
> Jason
>
> On Tue, May 26, 2009 at 1:16 PM, Andrew Grosset <ag5743 at telus.net> wrote:
>
>> owasp-antisamy-request at lists.owasp.org wrote:
>>
>> Hi folks,
>>
>> I've got antisamy 1.3 running under CF8. I'm unable to allow the <param>
>> tag regardless of it's inclusion in a policy file or not. I can add any
>> other tag, including object and applet.
>>
>> I searched the source to determine if it is hard coded but didn't find it
>> (but that was tough since the word param is all over the source).
>>
>> Additionally, is there a directive or some other method of specifically
>> allowing a tag that has no content? The <param> tag used on sites like
>> youtube in their embed code is in this format and I wish to allow it.
>>
>>
>> Thanks,
>> Jason
>>
>> --
>>
>> Find me on SingSnap:
>> http://www.singsnap.com/jason
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-antisamy mailing listOwasp-antisamy at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>> Hi Jason,
>>
>> I convert the youTube object into a gif image with a specific (style)
>> class and  the id of the movie into the title of the image then pass it
>> through anti-samy after that I  convert the image back into a youTube
>> object. Trying to allow <param> or <object> tags under specific
>> circumstances is dangerous to say the least so if allowing a youTube object
>> you have to be real careful that it actually is genuine. All you need to
>> look for with youTube is the id of the movie and parse that to make sure its
>> only alphanumeric and "-" and "_" and "&amp;" then build the object again
>> using that id.
>>
>> Andrew.
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>
>
> --
>
> Find me on SingSnap:
> http://www.singsnap.com/jason
>



-- 

Find me on SingSnap:
http://www.singsnap.com/jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090526/065e3dd2/attachment.html 


More information about the Owasp-antisamy mailing list