Bug 29944

Summary:

[XSSAuditor] Reduce false positives by checking for illegal URI characters

Product:

WebKit

Reporter:

Daniel Bates <dbates>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, sam

Priority:

Keywords:

XSSAuditor

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch with test cases and rebased test cases	abarth: review+

Daniel Bates

Reported 2009-09-30 18:06:07 PDT

We can reduce the number of false positives for both inline script- and inline event handler- based attacks by explicitly allowing requests that do not contain the characters described in section 2.4.3 of RFC 2396 <http://www.faqs.org/rfcs/rfc2396.html> in addition to the single quote character "'". That is, the following characters cannot appear in a valid URI: ', ", <, >. If the request does not contain these characters then we can assume that no inline scripts have been injected into response page, because it is impossible to write an inline script of the form <script>...</script> without "<", ">". With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update.

Attachments
Patch with test cases and rebased test cases (16.06 KB, patch) 2009-09-30 18:13 PDT, Daniel Bates	abarth: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2009-09-30 18:13:09 PDT

Created attachment 40415 [details] Patch with test cases and rebased test cases Also includes a minor formatting change.

Adam Barth

Comment 2 2009-09-30 18:44:11 PDT

Comment on attachment 40415 [details] Patch with test cases and rebased test cases Great. Thanks Dan.

Daniel Bates

Comment 3 2009-09-30 22:56:28 PDT

Committed r48961: <http://trac.webkit.org/changeset/48961>

Daniel Bates

Comment 4 2014-02-11 12:29:46 PST

(In reply to comment #0) > [...] > With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update. See bug #127853.

Note You need to log in before you can comment on or make changes to this bug.