Register - Login
Views: 95785026
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies
11-17-18 05:46:14 AM

Jul - Craziness Domain - No Fun Allowed: XSS testing zone New poll - New thread - New reply
Next newer thread | Next older thread
riking
User
Level: 6


Posts: 7/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 08:55:51 PM (last edited by riking at 01-24-18 08:56:32 PM) Link | Quote
Discoveries so far:
- You can't use Preview Post because Chrome will nuke the page

Right click to make a popup


edit: right click, then right click again on the text
Nicole

Disk-kun
Level: 141


Posts: 6408/6451
EXP: 33383933
For next: 736081

Since: 07-06-07

Pronouns: she/her
From: Boston, MA

Since last post: 12 days
Last activity: 1 day

Posted on 01-24-18 08:57:41 PM Link | Quote
Originally posted by maple
using onclick is xss?

The board is supposed to be preventing any JS from running, so yes...
riking
User
Level: 6


Posts: 8/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 08:58:02 PM (last edited by riking at 01-24-18 09:14:55 PM) Link | Quote
EDIT: Changed the event to wait for you to press play because DANG THAT'S REALLY ANNOYING



ontimeupdate version. don't press play unless you want to suffer:

riking
User
Level: 6


Posts: 9/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 09:03:15 PM Link | Quote
XSS is the general term for scripting that doesn't come from the site "author", where "author" is the entity supposed to be vetting all scripts to be run on the page.

There's no CSP here or anything, so any JS code can be turned into "load an external script, and that external script steals your stuff / makes posts as you / whatever".

I've studied up on web security.
Kaito Sinclaire
Hacking reality since 20̶?͝>̨ )̧̢~͠|̡͠T̴̡<͏̀́#͟͠)̸̡̛̕͟_̢҉M̨̛͢͠͠@̴̷(̧̕01 ERROR.





Joined 09.06.2011

Last posted 69 days ago
Last active 14 hours ago

Posted on 01-24-18 09:03:42 PM Link | Quote
the disadvantage of allowing html: if you don't want javascript, hope you know what absolutely every single tag key is that runs javascript so you can strip them all out

things were so much better when js wasn't so prevalent and BS

(also #x currently has a filter to block any lines with the text "New reply from", so actual discussion can take place)
riking
User
Level: 6


Posts: 10/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 09:10:45 PM Link | Quote
Yeah, I titled the thread "No Fun Allowed" because blocking this big list of events is not fun. https://developer.mozilla.org/en-US/docs/Web/Events#Media_Events
riking
User
Level: 6


Posts: 11/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 09:17:04 PM (last edited by riking at 01-24-18 09:17:30 PM) Link | Quote
Originally posted by maple
Originally posted by riking
I've studied up on web security.

sorry

??? what?

You had a valid question! This is one of those things that's really hard to get right, and almost nobody in the past thought it was even necessary to get right!!

Developer education is basically the only way these web platform exploit classes are ever going to get fixed, so don't feel bad for asking questions about it!
Xkeeper

Level: 250


Posts: 23101/24691
EXP: 250091118
For next: 437893

Since: 07-03-07

Pronouns: they/them, she/her, etc.

Since last post: 2 days
Last activity: 2 days

Posted on 01-24-18 09:22:12 PM Link | Quote
sigh
Kaito Sinclaire
Hacking reality since 20̶?͝>̨ )̧̢~͠|̡͠T̴̡<͏̀́#͟͠)̸̡̛̕͟_̢҉M̨̛͢͠͠@̴̷(̧̕01 ERROR.





Joined 09.06.2011

Last posted 69 days ago
Last active 14 hours ago

Posted on 01-24-18 09:22:28 PM Link | Quote
As far as I'm aware every key has to start with "on____" so maybe just stripping anything that's in that format would work for the foreseeable future without having to keep an ever-growing list of specific keys blocked

I feel like there's probably something in the spec that coincidentally starts with "on" though, which will be broken by that, however
riking
User
Level: 6


Posts: 12/13
EXP: 807
For next: 100

Since: 01-24-18


Since last post: 295 days
Last activity: 287 days

Posted on 01-24-18 09:30:41 PM (last edited by riking at 01-24-18 09:31:10 PM) Link | Quote
Originally posted by Kaito Sinclaire
As far as I'm aware every key has to start with "on____" so maybe just stripping anything that's in that format would work for the foreseeable future without having to keep an ever-growing list of specific keys blocked

I feel like there's probably something in the spec that coincidentally starts with "on" though, which will be broken by that, however


According to the index on the basic HTML5 specification, https://html.spec.whatwg.org/multipage/indices.html#attributes-3, there are no non-event attributes that start with on.
Tarale
Catgirl
C:\ DOS
C:\ DOS RUN
RUN DOS RUN
Level: 83


Posts: 1420/1876
EXP: 5225159
For next: 207062

Since: 07-23-07

Pronouns: she/her

Since last post: 6 days
Last activity: 1 hour

Posted on 01-24-18 10:27:01 PM Link | Quote
Jesus Christ, mate, buy a girl dinner first?
Xkeeper

Level: 250


Posts: 23107/24691
EXP: 250091118
For next: 437893

Since: 07-03-07

Pronouns: they/them, she/her, etc.

Since last post: 2 days
Last activity: 2 days

Posted on 01-25-18 12:37:13 AM Link | Quote
Your latest methods for causing trouble should be gone.
rakiru
Member
Level: 9


Posts: 9/31
EXP: 3047
For next: 115

Since: 01-09-18


Since last post: 263 days
Last activity: 231 days

Posted on 01-25-18 07:52:02 AM (last edited by rakiru at 01-25-18 07:52:50 AM) Link | Quote
Trying to avoid this stuff with blacklisting is not really a valid strategy; you should really use some sort of proper sanitiser with a whitelist. There's one called "HTML Purifier" that I've seen come up a couple times, but I'm not a PHP dev, so I have no idea what it's like.
Xkeeper

Level: 250


Posts: 23117/24691
EXP: 250091118
For next: 437893

Since: 07-03-07

Pronouns: they/them, she/her, etc.

Since last post: 2 days
Last activity: 2 days

Posted on 01-25-18 12:43:56 PM Link | Quote
I'm not whitelisting every single tag and attribute when blocking a limited subset solves 99% of the problems and banning people solves the other 1%.

Perfect is the enemy of the good, etc.
rakiru
Member
Level: 9


Posts: 11/31
EXP: 3047
For next: 115

Since: 01-09-18


Since last post: 263 days
Last activity: 231 days

Posted on 01-26-18 11:34:58 AM Link | Quote
I'm pretty sure "perfect is the enemy of good" is meant for cases where "perfect" is impossible (or close to it), and good is (relatively) easy, which is really not the case here. Whatever, your forum, and I have JS disabled anyway.
Xkeeper

Level: 250


Posts: 23153/24691
EXP: 250091118
For next: 437893

Since: 07-03-07

Pronouns: they/them, she/her, etc.

Since last post: 2 days
Last activity: 2 days

Posted on 01-26-18 12:22:25 PM (last edited by Xkeeper at 01-26-18 12:23:39 PM) Link | Quote

A widely accepted interpretation of "The perfect is the enemy of the good" is that one might never complete a task if one has decided not to stop until it is perfect: completing the project well is made impossible by striving to complete it perfectly.

I don't really want to argue semantics, but you brought it up.

Doing this perfectly would require:
- Bolting on some form of HTML-parsing utility that is capable of ingesting often-not-well-formed markup without bombing or choking on it
- Finding or building an HTML-parsing library that is capable of filtering out or removing certain tags and attributes
- Making a list of every single possibly malicious tag, attribute, and combination, or alternatively a separate list of every allowable HTML tag, many of which did not even exist at the time this forum was written (e.g. <article>...)

And presenting this to the user in a way that, because their entire markup might be changed by this parser, allows them to understand that their code just got fucked with and now they need to review it before they can post it properly.

And bolting this in with the existing code, which is still mostly a mess.

And requires being able to run on shared hosting (e.g. libraries like php's tidy extension may not be available).

And ensuring that this library is even capable of properly sanitizing things against JS, which is exceedingly rare without the "nuke everything" approach, because in most cases you either aren't accepting user-HTML at all (most comment systems, etc) or you're in the "the user probably knows what they're doing because they're the site admin" mode (e.g. blog posts, etc.)


...meanwhile, the goofy regex solution, while not exactly perfect, gets us 99% of the way there and was easily dropped in.
Next newer thread | Next older thread
Jul - Craziness Domain - No Fun Allowed: XSS testing zone New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 220d144 [2018-11-04]
©2000-2018 Acmlm, Xkeeper, Inuyasha, et al.

28 database queries, 6 query cache hits.
Query execution time: 0.161817 seconds
Script execution time: 0.025374 seconds
Total render time: 0.187191 seconds