- From: Stuart E. Schechter <ses@ll.mit.edu>
- Date: Fri, 23 Mar 2007 14:00:41 -0400
- To: W3C WSC Public <public-wsc-wg@w3.org>
- CC: Johnathan Nightingale <johnath@mozilla.com>
> From: Johnathan Nightingale <johnath@mozilla.com> > Hello all, > > I've updated the Threat Trees page of the Wiki with more detailed > information on cross site scripting. I've also made some minor > editorial changes, more clearly calling out the description and goals > of each attack. You can see the current version here. > > http://www.w3.org/2006/WSC/wiki/ThreatTrees This is a great improvement. I've differentiated attacks send form data between sites from those that send script/HTML code between sites. I think this helps clean the tree tremendously. One change I made consistently throughout is that branches should represent actions of the attacker. I had failed to do this in a few instances and it had caused further confusion. My apologies. I hope you can see that just about everything that was there before is still here in the restructured version. One other change I've made is to try to replace the "description" bullets with formal definitions that clearly delineate categories of attack from each other. I may have mentioned in the past that threat trees should really be called threat DAGS (directed acyclic graphs.) That is, the same component of a tree may really appear in two places. In such a case, its silly to replicate it. Technically, our threat tree has stopped being a tree under these most recent changes. Cross-site scripting (Branch 3) can, but does not always, rely on a cross-site impersonation of user intent (Branch 2). Rather than reconstruct all of branch 2 under 3.B.i, I've just noted that this branch should really point there. > As discussed on the call earlier this week, much of XSS is beyond our > scope. I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and > 2.B.iv, all of which involve the site sending information to a > different site than the legitimate one being viewed, constitute > information that a user agent *might* deem relevant to the user. The > others branches are there for completeness but, operating exclusively > within the site being viewed, likely represent security issues beyond > our scope. These bullets have now moved, but I think the changes make it more clear what is in scope and out of scope. I think Branch 2 is now in scope, at least where user interaction is required to click on a URL or send a form. Type 1 XSS attacks (3.B.i) would thus also be in scope, but I don't see that Type 2 XSS attacks would be. > Any comments are, of course, invited. And I hope Stuart doesn't > object to my formatting changes. :) The formatting changes certainly make things easier to read. Thanks again!
Received on Friday, 23 March 2007 18:01:26 UTC