

Taking over your code repositories with xss - mike-cardwell
http://blog.mu-cs.com/2011/03/taking-over-your-code-repositories-with.html

======
SoftwareMaven
I don't understand why sites are still subject to bugs like these. After 15
years of poor-escaping bugs and the security problems inherit in them, why is
it so hard to understand the two critical rules:

1\. Sanitize everything you can on the way in.

2\. Anything that can't be sanitized on the way in must be marked as unsafe
and sanitized on the way out.

Nothing* should ever, ever, ever go directly from one end-user's machine to
another (even the same user). Ever.

* Binaries might be an exception, but even then possibly not (e.g. virus checking).

~~~
Xk
Those two pieces of advice really are like telling programmers "just don't
make mistakes".

Giving that advise is really, really easy. Every competent web developer knows
that. The hard part is actually implementing it.

For example, lots of programs written today still have buffer overflow
vulnerabilities. Those are even older. The fix is also very simple: "Check the
bounds of your arrays before you use them". That is, again, just telling the
developer to not make mistakes.

Designing security into your app can help with preventing XSS attacks, but
there is no single perfect way.

~~~
mcorrientes
that's true but especially code hosting sites, should be a bit more concerned.

Using a WAF and white listing parameters, may be a good start too.

Just another reason why I keep the code internal.

~~~
Xk
> especially code hosting sites, should be a bit more concerned.

Not really. There are many examples of sites which should be more concerned.
Anything with your credit card information, say.

> Using a WAF and white listing parameters

Yeah, that's a good start. But you need to make sure everything goes through
the white list, and that's the hard part.

> Just another reason why I keep the code internal.

What does this have to do with security?

------
mrspeaker
I don't know if that guy spent months and months searching for those vectors -
but casually lumping XSS attacks in all the big source control sites is a
frightning thing to see.

We really need to pull back on the super-cool-awesome new feature bloat of
HTML5 and get back to basics: sort this out in a meaningful way.

~~~
d1b
I spent about around 3 hours on github(found the bugs after like 2 hours and
spent another 1 playing with wiki markup --- it is sanitized don't bother), 1
hour on bitbucket, 30minutes on gitorious(obviously the bug I found was found
very quickly after signing up) and ~1 1/2 hour looking at the launchpad
subdomain.

I did this over like the past 100 days.

