I've gotten into the habit of starting off every new project of mine with the header "Content-Security-Policy: script-src 'self'" on all pages, and whitelisting domains and 'unsafe-eval' as I need them. ('unsafe-eval' isn't so bad. 'unsafe-inline' is the really unsafe one that you want to avoid because it undoes the XSS protection. Eval has legitimate uses and eval-based vulnerabilities are not anywhere near as easy to accidentally create and never notice as a regular XSS vulnerability. I'd bet that everyone who has really written Javascript+HTML without CSP has created a regular XSS vulnerability at some point.)
There's no excuse to not start new projects off with a CSP rule like that. Doing it from the start means you won't ever have to comb through your codebase later to remove all bits of inline javascript that you depend on to get the benefits.
CSP rules are a good defense-in-depth measure to most likely limit the reach of vulnerabilities. They're not a cure-all that makes it so you don't have to understand HTML/text encoding.
It's like what ASLR and stack canaries do for buffer overflow vulnerabilities in C/C++. You still should try to avoid writing buffer overflow bugs, but if/when they do happen, the protections mean that the issue will probably just be a denial-of-service issue rather than an issue that lets an attacker execute code on your systems.
Yep. XSS isn’t at all hard to prevent if you’re using tools that are safe by default. Unfortunately, popular ones like jQuery aren’t. (This, more than any other, is a reason to prefer the DOM API.)
Pfft. Straight from the documentation of the method:
content
Type: >>htmlString<< or Element or Array or jQuery
You could argue that the API is bad for allowing HTML strings as arguments, but it's not really surprising that a function does what it is documented to do. Especially since these are DOM manipulation, not string manipulation functions.
There are relatively few DOM APIs which take a trusted string. innerHTML and outerHTML are two and clearly state that they take HTML so it's no surprise for the stuff you give them to be interpreted thus. But if you use e.g. textContent or createTextNode to insert text into your document, they will correctly sanitise it.
jQuery has text()[0], but because most of its API takes strings to start with, it's very convenient to do the wrong thing and shove untrusted strings into unsafe methods.
> yes, API takes strings, but it calls native DOM at the end anyway
jQuery calls unsafe API which should only be handled trusted strings but makes it easy and convenient to give them untrusted string and thus introduce exploit vectors.
Furthermore it's also significantly more difficult to audit the code, using the regular DOM there are only a pair of attributes to check, whereas pretty much any jQuery method call is a potential security hole.
tldr: jQuery makes doing things wrong very easy, much easier than doing things right.
Everything in jQuery is DOM manipulation. (Well, except for the little extra parts that aren't like $.ajax.) Tons of websites' code is primarily just jQuery calls because DOM manipulation is what makes things happen on the web.
The only native DOM API calls that can get you an XSS vulnerability are sets to `innerHTML`, `outerHTML`, and maybe some few others. Most of the methods for getting things done don't have any possibility of introducing an XSS issue. With jQuery, many methods including every method capable of inserting elements is also capable of introducing an XSS issue depending on the types passed to them. So you when you're reviewing for XSS issues, you have many more places to check, and analyzing the calls to jQuery methods to see if they have the potential for XSS is much more difficult because you have to trace the path backwards from every single call to see what types are set into the variables passed to the methods.
The HTML framework I created for personal projects has a special string type that cannot be output (nor even compiled) without specifically selecting which format you want the string encoded as (eg HTML, URL, plain text, etc). While this does produce some arguably uglier code and creates a little additional development overhead (ie code fails to compile by default), it has caught numerous instances where I would have accidentally left myself open to this kind of attack. So I've found it to be highly effective in the long run.
Python's Jinja templating language has the concept of "safe" and "unsafe" strings. By default all strings are unsafe (meaning they will be escaped wherever they are rendered) and you need to explicitly mark them as safe in order to be able to treat them as HTML.
React and Angular (and maybe Ember too?) similarly auto-escape any strings to be rendered and only provide very explicit ways to circumvent that (in React it's even called "dangerouslySetInnerHTML" and takes an object with a property called "__html" rather than a string[0]).
You can avoid XSS in dynamically typed languages. You just need to make it easier to do the safe thing than the difficult thing.
[0]: I really like React's approach to naming APIs you should think twice about using. For legacy reasons ReactDOM is still bundled as part of React and exposed with a property but the name of that property is "__SECRET_DOM_DO_NOT_USE_OR_YOU_WILL_BE_FIRED" (presumably to prevent React maintainers / Facebook employees from using it).
I wasn't implying dynamically typed languages were worse that statically typed languages. I was just discussing the approach I used to mitigate human error when building web UIs in hope it might inspire other people (or other people might offer additional feedback that inspire improvements in my own framework).
It is interesting to see that other frameworks are using similar ideas to my own though. Maybe not surprising; but at least reassuring to know that my own quirky API design isn't as leftfield as it felt when I was developing it.
> Python's Jinja templating language has the concept of "safe" and "unsafe" strings. By default all strings are unsafe (meaning they will be escaped wherever they are rendered) and you need to explicitly mark them as safe in order to be able to treat them as HTML.
That's good, but it's not ideal as it confuses HTML/unsafe. An unwary developer could output untrusted text "safely" and still open up an XSS vulnerability – because they could be outputting to JavaScript embedded within HTML. Yes, Jinja will encode it as HTML by default, rendering it "safe" in terms of the HTML parser, but that still doesn't make it actually safe.
Example:
alert("Hello, {{user.name}}!");
By default, Jinja will encode this as HTML, meaning that you can't trick the HTML parser into injecting your HTML. But it is still completely vulnerable to the exact same security vulnerability, except by tricking the JavaScript parser.
We should recognise what's actually the issue at play here. It's not really about whether data is safe or not. It's about correctly encoding data in a manner that's suitable for the context in which it is being output. Sometimes that's HTML, sometimes it's JavaScript, sometimes it's CSS, etc.
I have always been nervous about clicking on links to sites that say 'we were hacked, but we're safe now.' When that link also includes the hubristic 'and we'll never be hacked again,' which paints a target on you big enough for the entire darknet to see... I'm sorry but I'm not clicking on that link.
Is there a tool that tries XSS and other common attacks on a web page?
Similar to how Google Page Speed Insights and SEO tools which detect errors such as "You haven't minified your CSS", "You haven't set a title and description for your page" etc.
- Content-Security-Policy https://developer.mozilla.org/en-US/docs/Web/Security/CSP/In...
- The sandbox attribute on iframes: https://developer.mozilla.org/en/docs/Web/HTML/Element/ifram...
XSS is one of the hardest things to keep under control at scale.