11. “This issue isn't just about scripting, and
there isn't necessarily anything cross site
about it. So why the name? It was coined
earlier on when the problem was less
understood, and it stuck. Believe me, we have
had more important things to do than think
of a better name. <g>. “
-- Marc Slemko, Apache.org
12. XSS SQLIA
eval(‘user input’)1,2
1) the essence of injections
2) limited only by the execution environment
17. WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can
inject javascript code, the input variables quot;squot; and
quot;ip_addressquot; of GET method aren't properly
sanitized.”
--[Full-disclosure], Sept 2008
18. WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can
inject javascript code, the input variables quot;squot; and
quot;ip_addressquot; of GET method aren't properly
sanitized.”
--[Full-disclosure], Sept 2008
19. ey ’re
er e. Th t!
a re h ye Gibson
ed illiam
io ns ut ing W
rib hras
solut istparap
d --
e
Th ot eve nly
j ustn
32. Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
33. Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
• we could do flexible validation/sanitation
34. What we’d get
• Types for SQL prepared statements
• Types for AntiSamy/Template engine
• Types for future backends
• Types/Constraints for forms (XForms?)
• rich constraints on complex types
35. How it’d look like
class MyTextField(models.Field):
# may only contain <H1>
sqlserializer = SQLFilter(type=”html”) # to SQL
htmlserializer = AntiSamy(“H1Profile”) # to HTML
validator = HtmlValidator(tagsAllowed=(“h1”))
36. Drawbacks
• needs decent infrastructure form
framework
• needs good type catalogue to be easy
enough to use
• what about HTTP headers, cookies?
• simpler approaches available (Django)
40. This presentation is
licensed under a Creative
Commons BY-SA license.
Attribution for pictures through links.
Slides, materials, progress etc. can be found @
http://www.noroute.de/blog/diplomathesis