User Data

[00:00:00]
>> Mike North: First thing you need to know is, you never ever, ever, ever can trust user data. Don't ever trust user data, raw user data. And in particular, these are some absolutely terrible places to put raw untrusted user data. Anything that you put in between script tags obviously will be treated as script.

[00:00:20]
Don't put stuff there. It may be tempting, so I heard you're a word processor theme developer. Imagine you had a really terrible idea. We're gonna have a theme where users can inject their own little snippets to customize their experience. And give us some JavaScript and we'll execute it on this page.

[00:00:39]
This would not be a good idea, because now other people can see this page. If you can click a link and run a script and that does not originate from the developer it originates from another user, bad times. You don't wanna put any user data in an HTML comment.

[00:00:57]
So this is a little tricky but can anyone think of something you could do inside for the second line here. What value could we have for user data that would cause us trouble? So if.
>> Speaker 2: Close off the comment?
>> Mike North: Yes, exactly.
>> Speaker 2: Put your script in there.

[00:01:13]
Whatever you want.
>> Mike North: So you would begin, your string would not be like, hello, I'm Mike. It would be like dash, dash, greater than, to finish the comment, and then begin executing our script. And the real comment close to the right of that line, that'll appear as text, but it'll be too late.

[00:01:32]
In fact, you could end with beginning a new comment and it would be fine. So that's why. Basically if you put stuff, unsanitized user input into a context, be it between quotes or within a tag. Know that you could always get out of that context by closing the quote or by having the close tag or by finishing the comment.

[00:01:53]
And now you're back into code land, where you're injecting your code in there. Attribute names. I've never seen this, I think this is an unlikely one for a developer to fall into. But users should not have control over HTML attributes. Obviously if user data were source in this situation, it'd be pretty easy for them to like manipulate that, no, it's not classes.

[00:02:19]
It's not the name of my theme that's gonna be here, it's gonna be the source, and we're gonna download the script. Tag names, again never seen that. But a bad idea, this is probably one that we don't need to remember, because it just seems like common sense, don't do that.

[00:02:35]
Stuff that's directly in the style block. So it is very, very hard to do style based cross-site scripting in modern browsers. It is pretty easy in older browsers. Anywhere you have a URL, that basically can turn into a get request. Well I mean it is a get request, but it can turn into a JavaScript execution.

[00:02:56]
So CSS, background image with a URL of JavaScript colon transfer all my money out of the account. You know, something like that.