[cl-weblocks-ticket] Re: #45: Don't use gensym for actions to avoid XSS attacks

cl-weblocks cl-weblocks-devel at common-lisp.net
Wed Aug 1 21:46:42 UTC 2007 

#45: Don't use gensym for actions to avoid XSS attacks
------------------------+---------------------------------------------------
  Reporter:  anonymous  |       Owner:  sakhmechet
      Type:  defect     |      Status:  new       
  Priority:  medium     |   Milestone:  0.1       
 Component:  weblocks   |     Version:  pre-0.1   
Resolution:             |    Keywords:  security  
------------------------+---------------------------------------------------
Changes (by sakhmechet):

  * milestone:  0.2 => 0.1
  * priority:  low => medium

Comment:

 On 8/1/07, Alexander Kjeldaas <alexander.kjeldaas at gmail.com> wrote:
 >
 > One user accessing another user's stuff is not the attack I am
 describing.
 > The attack I am describing is a purely destructive *someone making a
 user do
 > stuff* attack.  Get a user to do something that they didn't really
 intend to
 > do.  In order to do this, one only need to get the user to click on a
 link
 > that has a guessed action in it.
 I see.

 A multistep solution that comes to mind is this:
 1. Split actions into destructive actions that modify back-end data, and
 'pure' actions.
 2. Ensure that destructive actions are only executed if the HTTP request
 is initiated via POST. I'll have to double check, but I think browsers
 don't allow forms to send POST requests to domains different from where
 HTML originally came from.
 3. Programmers will sometimes make mistakes and create destructive actions
 as regular ones (we could prevent them from doing it in Haskell, but
 unfortunately not in Lisp). This means all actions, not just destructive
 ones must have URLs that are hard to guess.

 I'm not sure if I want to implement #1 (and therefore #2) because it
 forces a programmer to choose between two ways of creating an action. On
 the other hand this might be a good thing - this is something that needs
 to be thought out.

 #3 should definetly be implemented.

-- 
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks

More information about the Cl-weblocks-ticket mailing list