[Twisted-web] Preventing XSS when using Nevow's vhost functionality

David Remahl david at remahl.se
Wed Oct 19 15:48:47 MDT 2005

Say I implement web server that serves content for a number of  
different users, each on their own sub domain. My nevow site has a  
root resource that is sensitive to the host / port information in the  
request (virtual hosting). Since this happens is in a reverse-proxy  
situation, the root resource has a child, vhost, that allows the  
application to gain knowledge of which host the user accessed. One of  
the users, "evil", has a goal of stealing cookie content from people  
who visit goody's web shop.

The attacker makes the victim go to this URL:
which gets rewritten (by the reverse proxy) to:

The web server looks up the vhost child of the root resource which  
consumes the next two components. It sets the host to goody.com, as  
it should be and passes control back to the root resource. The  
remaining URI at this point is:

This once more invokes the vhost functionality, the following results  
and is accessed:

The malicious javascript code is sent to the client which interprets  
it. The problem is that the client still believes it accessed a  
resource on goody.com, and therefore allows the JS to access cookies  
set by goody.com. The same design flaw can be used for phising  
attacks etc (faking the "sender" of some information).

Can anyone suggest a good approach for preventing this kind of  
violation? I think limiting vhost from working unless the current  
request's host is (internalserver, 1234) would be safest. Other ideas?

/ Thanks, David Remahl

More information about the Twisted-web mailing list