undefined | Better HN

0 pointsmike_hearn8y ago0 comments

The prevalence of XSS suggest that the web ecosystem has failed to produce the sort of tools you suggest. If such tools actually existed and were good, people would use them and web app exploits would be a curiosity rather than an expectation.

However, no such tool exists. I think there's a deeper issue here: the sheer number of ways you can generate XSS alone, even ignoring the other exploit types, is far beyond what any tool is capable of stopping. Look at one of the XSS holes found by Homakov that I linked to from my article:

http://sakurity.com/blog/2015/06/25/puzzle2.html

The XSS occurs on this line of JavaScript, not HTML:

    $.get(location.pathname+'?something')

That's a simple line of JQuery that does an XmlHttpRequest to the same page that was loaded with an additional parameter. By itself, it is not an XSS. But if the backend is/was running Ruby on Rails (presumably some old version by now) then it could turn into an XSS due to a combination of features that all look superficially harmless.

Show me the tool that would have avoided that type of exploit, without already knowing about it and having some incredibly specific hardcoded static analysis rule.

When I argue that the web is unsafe by design, it's because cases like that aren't rare, they're common. To paraphrase Veekun, scratch the surface of web security and you'll find yourself in a bottomless downward spiral, uncovering more and more horrifying trivia.

0 comments

bastawhiz8y ago

> If such tools actually existed and were good, people would use them and web app exploits would be a curiosity rather than an expectation.

I think you're missing another two obvious explanations:

1. Lack of education when picking a tool (copy paste from bad SO answers is a frequent source of bad code).

2. Developers don't care. If it works, why bother wrapping your head the rest of the way around to understand why it works or whether it's secure?

> By itself, it is not an XSS. But if the backend is/was running Ruby on Rails (presumably some old version by now) then it could turn into an XSS due to a combination of features that all look superficially harmless.

Sure, ERB before RoR essentially had security turned off by default (as I noted). And this issue could happen with any other non-web system, turning into any other kind of vulnerability. This isn't a web problem, it's a system security problem. Bad inputs in a "native" app could lead to security issues in the output of apps on other devices. Badly implemented binary data decoders in a desktop application could do far worse than a XSS in the browser.

This problem is misattributed as a "web problem" because there are far more complete systems on the web than there are on nearly any other platform. It's like the tired argument that Mac is more secure than Windows, but Windows has historically had an overwhelmingly outsized market share, making OS X issues far less valuable to attackers.

> When I argue that the web is unsafe by design, it's because cases like that aren't rare, they're common.

I don't disagree that these issues are common, but I disagree that the web is unsafe by design. The web is a platform. If everyone wrote their Python APIs without a framework, I can guarantee they would be littered with security holes. If everyone wrote their own text renderer in C++, just displaying strings on the screen would be a dangerous task.

There are good tools that make it really hard to fuck up on the web. Seriously, try to accidentally have a XSS vulnerability in an isorendered React app with Apollo. The problem is folks that want to jQuery-jockey their way across the finish line and don't understand that they are making terrible mistakes.

mike_hearnOP8y ago

I think it's easy to blame developers for the failings of their tools and just say, well, they should be more educated or more serious. That'd be great, but there are too many problems with the web to educate users on how to avoid them. Even skilled developers can't reliably avoid every minefield. Look at the attacks by Homokov that I linked to, or read up on HEIST, or cross site tracing, or SSRF attacks.

How many developers do you think might have written a web server in their time, or will do in the next 10 years? And how many know will pass URL components straight through to glibc for resolution, as is the obvious way to do it, and create an exploitable SSRF vuln on their network? How many developers will have even heard of this type of problem?

New ways to exploit weird edge cases and obscure frameworks crop up constantly - it is a full time job even to keep up with it all. At some point you can't blame people walking through a minefield because they keep getting blown up. The problem is the mines.

this issue could happen with any other non-web system, turning into any other kind of vulnerability. This isn't a web problem, it's a system security problem.

That's just not the case, sorry. Have you ever actually written desktop apps that use binary protocols? It's a web problem:

• It relies on the over-complex and loose parsing rules for URLs

• It relies on unexpected behaviour in one of the most popular web libraries

• It relies on bizarre and unexpected behaviour in XmlHttpRequests

• It relies on the fact that web apps routinely import code from third party servers to run in their own security context.

I have been programming for 25 years and I have never seen an exploit like that before in managed desktop apps using binary protocols to a backend.

Seriously, try to accidentally have a XSS vulnerability in an isorendered React app with Apollo.

An isorendered React app with Apollo? I think that may be the most web thing I've heard all week ;)

I think I'll take the bet:

https://medium.com/node-security/the-most-common-xss-vulnera...

That article shows the patterns I cover in my article:

• Buffers can get terminated early, even in a theoretically "XSS-proof" framework.

• JSON can get interpreted as code

• Even experienced web developers can't get it right

If you've never written a desktop app before, I'd suggest grabbing IntelliJ or NetBeans and trying it out. TornadoFX is a good framework to try.

homakov8y ago

Thanks for a mention. Yes, I find web deeply broken. If any big company decides to reengineer it from scratch: I'm available to help for free :)

j / k navigate · click thread line to collapse