undefined | Better HN

0 pointsbastawhiz8y ago0 comments

> if html used length-prefixed tags rather than open/close tags most injection attacks would go away immediately.

If this was the case, it would be near-impossible to write HTML by hand. And if you're writing HTML with a tool (React, HAML etc.), the tool could be doing HTML escaping correctly instead. This isn't an issue with HTML, it's an issue with human error.

0 comments

TeMPOraL8y ago

> This isn't an issue with HTML, it's an issue with human error.

All security issues are due to human error. Those are solved by building better tools.

> If this was the case, it would be near-impossible to write HTML by hand.

If, besides the text form, there would be a well-defined length-prefixed binary representation, we could simply compile HTML to binary-HTML, which would immediately made the web not only safer, but also much more efficient (it's scary if you think just how much parsing and reparsing goes on when displaying a web page).

lou13068y ago

One could build something similar by using a set of "conventional" canonical S-expressions: https://en.wikipedia.org/wiki/Canonical_S-expressions

krapp8y ago

Prefixes for character length? Is that a better choice than byte size or would it even matter?

quadrangle8y ago

If you have an issue with human error and don't design your programmed tool to avoid letting the errors out into the world, then it is the fault of the tool.

bastawhizOP8y ago

I'm not sure what the argument you're putting forth is. All of the HTML-generating tools I'm aware of (barring dumb string templating tools) work sufficiently well and prevent human error.

My point is that there's nothing wrong with HTML. HTML isn't a tool, it's a format for storing and transmitting hypertext. If you're using React or HAML or any of the other HTML-generating tools, you're effectively immune from XSS. I'm putting forth that developers aren't using effective tools (shame on every templating engine that doesn't escape by default), and that calling the web as a platform bad is a bit nonsensical. It's like saying "folks are writing asm by hand and their code has security issues, therefore x86_64 is insecure".

mike_hearn8y ago

The prevalence of XSS suggest that the web ecosystem has failed to produce the sort of tools you suggest. If such tools actually existed and were good, people would use them and web app exploits would be a curiosity rather than an expectation.

However, no such tool exists. I think there's a deeper issue here: the sheer number of ways you can generate XSS alone, even ignoring the other exploit types, is far beyond what any tool is capable of stopping. Look at one of the XSS holes found by Homakov that I linked to from my article:

http://sakurity.com/blog/2015/06/25/puzzle2.html

The XSS occurs on this line of JavaScript, not HTML:

    $.get(location.pathname+'?something')

That's a simple line of JQuery that does an XmlHttpRequest to the same page that was loaded with an additional parameter. By itself, it is not an XSS. But if the backend is/was running Ruby on Rails (presumably some old version by now) then it could turn into an XSS due to a combination of features that all look superficially harmless.

Show me the tool that would have avoided that type of exploit, without already knowing about it and having some incredibly specific hardcoded static analysis rule.

When I argue that the web is unsafe by design, it's because cases like that aren't rare, they're common. To paraphrase Veekun, scratch the surface of web security and you'll find yourself in a bottomless downward spiral, uncovering more and more horrifying trivia.

2 more replies

quadrangle8y ago

Well put. I agree with all of that essentially.

j / k navigate · click thread line to collapse

0 comments

TeMPOraL8y ago

> This isn't an issue with HTML, it's an issue with human error.

All security issues are due to human error. Those are solved by building better tools.

> If this was the case, it would be near-impossible to write HTML by hand.

lou13068y ago

One could build something similar by using a set of "conventional" canonical S-expressions: https://en.wikipedia.org/wiki/Canonical_S-expressions

krapp8y ago

Prefixes for character length? Is that a better choice than byte size or would it even matter?

quadrangle8y ago

If you have an issue with human error and don't design your programmed tool to avoid letting the errors out into the world, then it is the fault of the tool.

bastawhizOP8y ago

I'm not sure what the argument you're putting forth is. All of the HTML-generating tools I'm aware of (barring dumb string templating tools) work sufficiently well and prevent human error.

mike_hearn8y ago

http://sakurity.com/blog/2015/06/25/puzzle2.html

The XSS occurs on this line of JavaScript, not HTML:

    $.get(location.pathname+'?something')

Show me the tool that would have avoided that type of exploit, without already knowing about it and having some incredibly specific hardcoded static analysis rule.

2 more replies

quadrangle8y ago

Well put. I agree with all of that essentially.

j / k navigate · click thread line to collapse