[Twisted-web] Preventing XSS when using Nevow's vhost functionality
David Remahl
david at remahl.se
Wed Oct 19 15:48:47 MDT 2005
Say I implement web server that serves content for a number of
different users, each on their own sub domain. My nevow site has a
root resource that is sensitive to the host / port information in the
request (virtual hosting). Since this happens is in a reverse-proxy
situation, the root resource has a child, vhost, that allows the
application to gain knowledge of which host the user accessed. One of
the users, "evil", has a goal of stealing cookie content from people
who visit goody's web shop.
The attacker makes the victim go to this URL:
http://goody.com/vhost/http/evil.net/pageWithAttackJS.html
which gets rewritten (by the reverse proxy) to:
http://internalserver:1234/vhost/http/goody.com/vhost/http/
evil.net/pageWithAttackJS.html
The web server looks up the vhost child of the root resource which
consumes the next two components. It sets the host to goody.com, as
it should be and passes control back to the root resource. The
remaining URI at this point is:
http://goody.com/vhost/http/evil.net/pageWithAttackJS.html
This once more invokes the vhost functionality, the following results
and is accessed:
http://evil.net/pageWithAttackJS.html
The malicious javascript code is sent to the client which interprets
it. The problem is that the client still believes it accessed a
resource on goody.com, and therefore allows the JS to access cookies
set by goody.com. The same design flaw can be used for phising
attacks etc (faking the "sender" of some information).
Can anyone suggest a good approach for preventing this kind of
violation? I think limiting vhost from working unless the current
request's host is (internalserver, 1234) would be safest. Other ideas?
/ Thanks, David Remahl
More information about the Twisted-web
mailing list