[Twisted-web] Preventing XSS when using Nevow's
vhost functionality
David Reid
dreid at dreid.org
Wed Oct 19 17:42:54 MDT 2005
On Oct 19, 2005, at 4:29 PM, Jason Mobarak wrote:
> So pageWithAttackJS.js would more likely be liveglue.js?
Perhaps, but I don't think liveglue.js is a hardcoded relative link.
> I don't quite understand why this works. If the first two segments
> of the vhost request are the protocol and the host why isn't it the
> case that these segments are consumed, the URL is re-written to:
>
> http://foo.bar/vhost/http/google.com
>
> ...and it fails because foo.bar doesn't exist? Why are the
> segments still consumed after this point, or...?
Because the point of VHostMonsterResource is so that the application
doesn't need to know the url it's actually being accessed from in a
ProxyPass situation. In a real world example you'd trick the user to
go to http://foo.bar/vhost/http/google.com/ and the user would, the
apache server at foo.bar would foward the request to http://localhost:
8080/vhost/http/foo.bar/vhost/http/google.com/ so the above multiple
calls happen and the final request consists of a host being set to
google.com. There just isn't any implementation for it to fail
because foo.bar doesn't exist. The jist is, VHostMonsterResources
flaws are numerous and inherent.
-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20051019/d3335958/attachment.htm
More information about the Twisted-web
mailing list