Tuesday, 7 August 2018

xss

Building on our earlier posts on defenses against web application flaws ["Automating Web Application Security Testing", "Meet ratproxy, our passive web security assessment tool"], we introduce Automatic Context-Aware Escaping (Auto-Escape for short), a functionality we added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS).
We developed Auto-Escape specifically for general purpose template systems; that is, template systems that are for the most part unaware of the structure and programming language of the content on which they operate. These template systems typically provide minimal support for web applications, possibly limited to basic escaping functions that a developer can invoke to help escape unsafe content being returned in web responses. Our observation has been that web applications of substantial size and complexity using these template systems have an increased risk of introducing XSS flaws. To see why this is the case, consider the simplified template below in which double curly brackets {{ and }} enclose placeholders (variables) that are replaced with run-time content, presumed unsafe.
<body>  <span style="color:{{USER_COLOR}};">    Hello {{USERNAME}}, view your <a href="{{USER_ACCOUNT_URL}}">Account</a>.  </span>  <script>    var id = {{USER_ID}}; // some code using id, say:    // alert("Your user ID is: " + id);  </script></body>
In this template, four variables are used (not in this order):
  • USER_NAME is inserted into regular HTML text and hence can be escaped safely by HTML-escape.
  • USER_ACCOUNT_URL is inserted into an HTML attribute that expects a URL and therefore in addition to HTML-escape, also requires validation that the URL scheme is safe. By allowing only a safe white-list of schemes, we can prevent (say) javascript: pseudo-URLs, which HTML-escape alone does not prevent.