W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 22 Jan 2011 02:50:59 -0800
Message-ID: <AANLkTin9k6h2MY2goKNLVbwsnj2xi-oBdi4WHTCibgGy@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
> Both this and meta tag are vulnerable to any sort of html attribute
> injection

All approaches do not do a lot to prevent attackers from injecting JS
into JS due to insufficient escaping of dynamically inserted
variables, so I'm not sure this changes the picture appreciably?

I.e., it does not matter if you have
http://allowed_origin/dynamic_js_script.js with:

var username = '$incorrectly_escaped_username';

...versus:

<span onclick="do_something('$incorrectly_escaped_username')">

Signing inline scripts is slightly more robust, but ultimately also
futile against these attacks, as web frameworks will likely move to
indiscriminately auto-sign any generated text.

About the only way to fix JS-in-JS injection is sending JS as
generated VM bytecode, rather than serialized text, probably...

/mz
Received on Saturday, 22 January 2011 10:51:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 10:51:54 GMT