Simon Willison’s Weblog

Busting frame busting: a study of clickjacking vulnerabilities at popular sites (via) Fascinating and highly readable security paper from the Stanford Web Security Research group. Clickjacking can be mitigated using framebusting techniques, but it turns out that almost all of those techniques can be broken in various ways. Fun examples include double-nesting iframes so that the framebusting script overwrites the top-level frame rather than the whole window, and a devious attack against the IE and Chrome XSS filters which tricks them in to deleting the framebusting JavaScript by reflecting portions of it in the framed page’s URL. The authors suggest a new framebusting snippet that should be more effective, but sadly it relies on blanking out the whole page in CSS and making it visible again in JavaScript, making it inaccessible to browsers with JavaScript disabled. 24th May 2010, 11:40 am

apache.org incident report for 04/09/2010. An issue was posted to the Apache JIRA containing an XSS attack (disguised using TinyURL), which stole the user’s session cookie. Several admin users clicked the link, so JIRA admin credentials were compromised. The attackers then changed the JIRA attachment upload path setting to point to an executable directory, and uploaded JSPs that gave them backdoor access to the file system. They modified JIRA to collect entered passwords, then sent password reset e-mails to team members and captured the new passwords that they set through the online form. One of those passwords happened to be the same as the user’s shell account with sudo access, leading to a full root compromise of the machine. 14th April 2010, 9:08 am

Major IE8 flaw makes ’safe’ sites unsafe. IE8 has an XSS protection feature which rewrites potentially harmful code in HTML pages—I think it looks for suspicious input in query strings which appears to have been output directly on the page. Unfortunately it turns out there’s a flaw in the feature that can allow attackers to rewrite safe pages to introduce XSS flaws. Google are serving all of their pages with the X-XSS-Protection: 0 header. Until the fix is released, that’s probably a good idea. 22nd November 2009, 3:34 pm

XSS Protection by Default in Rails 3.0. Fantastic news—congratulations, Rails core team. 8th October 2009, 4:35 pm

Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems (via) The Google Online Security Blog reminds us that simply HTML-escaping everything isn’t enough—the type of escaping needed depends on the current markup context, for example variables inside JavaScript blocks should be escaped differently. Google’s open source Ctemplate library uses an HTML parser to keep track of the current context and apply the correct escaping function automatically. 14th April 2009, 9:26 am

17-year-old claims responsibility for Twitter worm. It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile. 12th April 2009, 7:22 pm

OWASP: XSS Prevention Cheat Sheet. Comprehensive set of rules for avoiding XSS—there’s a bit more to it than just escaping all output variables, since you have to take markup context in to account. 24th January 2009, 11:58 pm

Web Security Horror Stories: The Director’s Cut. Slides from the talk on web application security I gave this morning at <head>, the worldwide online conference. I just about managed to resist the temptation to present in my boxers. Topics include XSS, CSRF, Login CSRF and Clickjacking. 26th October 2008, 12:15 pm

When Ajax Attacks! Web application security fundamentals. Slides and notes from my talk on web application security at @media Ajax last Tuesday. 20th September 2008, 4:16 pm

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers. 29th August 2008, 2:01 am

quipt (via) Extremely clever idea: Cache JavaScript in window.name (which persists between page views and can hold several MB of data), but use document.referrer to check that an external domain hasn’t loaded the cache with malicious code for an XSS attack. UPDATE: Jesse Ruderman points out a fatal flaw in the comments. 4th July 2008, 3:49 pm

ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google. 3rd July 2008, 2:35 pm

IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0). 3rd July 2008, 9:37 am

Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter. 1st July 2008, 8:58 am

BUG: XSS Security flaw in BaseCamp Messages (via) BaseCamp lets users include HTML and JavaScript in messages, on the basis that anyone with a BaseCamp account is a trusted party. I’m not convinced: you could use this to circumvent BaseCamp’s access control stuff and read messages you’re not meant to. On the flip side, you could also use this to add brand new features to BaseCamp by using JavaScript in a message as a server-side equivalent to Greasemonkey. 26th June 2008, 9:39 am

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole. 15th May 2008, 8:06 am

Django: security fix released. XSS hole in the Admin application’s login page—updates and patches are available for trunk, 0.96, 0.95 and 0.91. 14th May 2008, 7:49 am

Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised. 26th April 2008, 9:12 am

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference. 21st April 2008, 6:51 am

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types. 14th April 2008, 8:18 am

Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site. 20th January 2008, 9:49 am

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. 10th January 2008, 6:46 pm

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). 6th January 2008, 9:35 am

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. 1st December 2007, 8:34 pm

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. 14th November 2007, 5:05 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. 25th October 2007, 7:56 am

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. 9th October 2007, 12:23 pm

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. 29th May 2007, 10:07 pm

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank. 29th May 2007, 10:03 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. 15th April 2007, 8:28 pm

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. 12th March 2007, 12:34 am

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway. 6th March 2007, 8:06 am

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. 4th March 2007, 9:24 pm

MySpace superworm creator sentenced to probation, community service (via) samy is still my hero. 4th February 2007, 7:03 pm

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) 17th January 2007, 9:09 am

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. 14th January 2007, 1:36 pm

The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. 11th January 2007, 4:23 pm

Why is XSS so common? Because dev tools don’t escape things by default. 2nd August 2006, 8:57 pm

How the myspace SWF hack worked. If Flash is a vector for XSS, is this the end of Flash badges? 17th July 2006, 6:04 pm

Don’t serve JSON as text/html. Another sneaky XSS trick. 5th July 2006, 11:46 pm

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. 22nd January 2006, 9:37 pm

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month. 21st January 2006, 8:47 pm

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. 24th December 2005, 5:21 pm