Re: ACTION-164 - Elaborate Cross Site Scripting in Wiki from Stuart E. Schechter on 2007-03-23 (public-wsc-wg@w3.org from March 2007)

From: Stuart E. Schechter <ses@ll.mit.edu>
Date: Fri, 23 Mar 2007 14:00:41 -0400
To: W3C WSC Public <public-wsc-wg@w3.org>
CC: Johnathan Nightingale <johnath@mozilla.com>
Message-ID: <C2298E09.F998%ses@ll.mit.edu>

> From: Johnathan Nightingale <johnath@mozilla.com>
> Hello all,
> 
> I've updated the Threat Trees page of the Wiki with more detailed
> information on cross site scripting.  I've also made some minor
> editorial changes, more clearly calling out the description and goals
> of each attack.  You can see the current version here.
> 
> http://www.w3.org/2006/WSC/wiki/ThreatTrees

   This is a great improvement.  I've differentiated attacks send form data
between sites from those that send script/HTML code between sites.  I think
this helps clean the tree tremendously.

   One change I made consistently throughout is that branches should
represent actions of the attacker.  I had failed to do this in a few
instances and it had caused further confusion.  My apologies.  I hope you
can see that just about everything that was there before is still here in
the restructured version.

   One other change I've made is to try to replace the "description" bullets
with formal definitions that clearly delineate categories of attack from
each other.

   I may have mentioned in the past that threat trees should really be
called threat DAGS (directed acyclic graphs.)  That is, the same component
of a tree may really appear in two places.  In such a case, its silly to
replicate it.   Technically, our threat tree has stopped being a tree under
these most recent changes.  Cross-site scripting (Branch 3) can, but does
not always, rely on a cross-site impersonation of user intent (Branch 2).
Rather than reconstruct all of branch 2 under 3.B.i, I've just noted that
this branch should really point there.

> As discussed on the call earlier this week, much of XSS is beyond our
> scope.  I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and
> 2.B.iv, all of which involve the site sending information to a
> different site than the legitimate one being viewed, constitute
> information that a user agent *might* deem relevant to the user.  The
> others branches are there for completeness but, operating exclusively
> within the site being viewed, likely represent security issues beyond
> our scope.

   These bullets have now moved, but I think the changes make it more clear
what is in scope and out of scope.  I think Branch 2 is now in scope, at
least where user interaction is required to click on a URL or send a form.

   Type 1 XSS attacks (3.B.i) would thus also be in scope, but I don't see
that Type 2 XSS attacks would be.
 
> Any comments are, of course, invited.  And I hope Stuart doesn't
> object to my formatting changes.  :)

   The formatting changes certainly make things easier to read.   Thanks
again!

Received on Friday, 23 March 2007 18:01:26 UTC