Could Interpolique from Recursion Ventures lead to more secure web applications? String injection flaws (which enable Cross-site scripting, SQL injection and such) still occur in spite of memory-safe languages and repetitive encouragement to parametrize and escape strings. Developers still allow inadequately sanitized strings through.
Interpolique attempts to:
- *Retain* the boundary between code and data
Web Security at Google Code University. From Gruyere:
Correctly sanitizing HTML is a tricky problem. The
_SanitizeTagfunction has a number of critical design flaws:
- It does not validate the well-formedness of the input HTML. As we see, badly formed HTML passes through the sanitizer unchanged. Since browsers typically apply very lenient parsing, it is very hard to predict the browser’s interpretation of the given HTML unless we exercise strict control on its format.
- It uses blacklisting of attributes, which is a bad technique. One of our exploits got past the blacklist simply by using an uppercase version of the attribute. There could be other attributes missing from this list that are dangerous. It is always better to whitelist known good values.
- The sanitizer does not do any further sanitization of attribute values. This is dangerous since URI attributes like
The right approach to HTML sanitization is to:
- Parse the input into an intermediate DOM structure, then rebuild the body as well-formed output.
- Use strict whitelists for allowed tags and attributes.
- Apply strict sanitization of URL and CSS attributes if they are permitted.
Whenever possible it is preferable to use an already available known and proven HTML sanitizer.
Microsoft Anti-Cross Site Scripting Library V4.2 (AntiXSS V4.2) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks.
Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP (32-bit) (64-bit) CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed.
Infographic by Veracode Application Security