Tuesday, April 13, 2010

XSS and Apex

XSS = X(cross) Site Scripting. This is where user entered data contains some javascript that will be later inadvertently rendered and executed by another users browser. The javascript then sends session information back to the attackers external server. This information could contain cookies that can be used to steal the user's session.

Atlassian and the Apache team (who use Atlassian services) recently got hacked big time thanks in part to XSS vulnerabilities in their site. Details can be found here... https://blogs.apache.org/infra/entry/apache_org_04_09_2010 (it's a great read).

There is no simple solution to protect against XSS, but here's an article which demonstrates a generic method that web applications can use to avoid XSS from the client side. It's known as HTTPOnly cookies. This is very good news, it mentions that Firefox has a bug that doesn't implement HttpOnly correctly, but this has since been fixed... http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

HTTPOnly is sufficiently supported by 99% of mainstream browsers (and most importantly, those in our SOE). Opera and Safari support is unconfirmed, but I'd assume they would have addressed this by now. I'd expect to see more support for HTTPOnly tighten as it's such a valuable tool to protect cookies.

I've been aware of XSS dangers for years, but only since this Atlassian incident was I curious to test the extent of the risk on Apex applications. Apex does not currently use HTTPOnly cookies, I'll investigate adding it. Apex does use the most standard method of setting cookies, which is promising as it's best supported by the browsers. We just need to figure out how to flip the HTTPOnly flag on the server somehow to provide another layer of protection for our users/applications. Apex is also wide open to session stealing based on cookie information, so please keep this in mind. Don't allow unsanitised user data to be rendered in the browser. This is absolutely critical for any application which is going to be made available to both the public and privileged users.

No comments: