geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 20:33:31 GMT would there be any interest in a Geronimo valve that we can
include with the container, and developers can choose to add it in at
the Engine (full container), Host, or context levels?  This way if they
want such filtering...just add in the valve.


Joe Bohn wrote:
> I agree that the application should code defensively for these types of
> attacks. However, I'm still wondering if this type of attack isn't
> something that the containers could assist with as well.
> IIUC the attack is basically accomplished by appending some script to a
> valid URL.  If this URL is processed without challenge and returned in
> the response then attack is successful.
> So my question (perhaps dumb question) is - "Is this a typical pattern
> used by an application?"  I can see where script is added to the URL on
> a response but it isn't obvious to me how script might be used on a
> request URL.  Could a container provide some additional protection
> (without breaking apps) by striping any script from incoming requests?
> Joe
> Paul McMahan wrote:
>> Jeff, I believe it is the responsibility of the application to secure
>> itself against XSS attacks, and not the web container's. As you know,
>> the web container really has no way to differentiate between
>> legitimate and "tainted" content in the output stream.  The container
>> could do paranoid things such as replacing suspicous characters when
>> it logs request URIs.  But, as you say, that type of approach could be
>> seen as too heavy handed.
>> Best wishes,
>> Paul
>> On 1/18/06, *Jeff Genender* <
>> <>> wrote:
>>     Where I am going at with this a vulnerability caused by
>> coding
>>     the apps, or the containers themselves?
>>     i.e., Will I have this problem with a perl app running on httpd? or
>>     ASP/C# on IIS?  Is this type of vulnerability a facet of
>> responsibility
>>     that lies on the container, or the developer?
>>     I am just trying to assess this as a true vulnerability from a web
>>     container perspective.  I am assuming, that yes, the container could
>>     change the < and > to lt&; and gt&;.  But, I am wondering where
>> draw
>>     the line and wonder if that is too heavy handed.
>>     If the other web servers provide protection from this, then I
>> guess its
>>     safe to assume we should follow the pack. OTOH, I surely would not
>> want
>>     to take away too much responsibility of the developer to ensure they
>>     are
>>     properly securing their own apps, while maintaining a bit of
>> flexibility
>>     for them.
>>     Jeff
>>     Kevan Miller wrote:
>>      >
>>      > On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
>>      >
>>      >> So assuming this appears to be somewhat "examples" related, is
>> this
>>      >> truly a container problem, or just the jsp examples
>> implementation?
>>      >
>>      > IANASE, but it seems that any vulnerabilities must be fixed in
>>     the apps
>>      > themselves -- certainly seems like the only course of action for G
>>      > 1.0.1. I'm currently aware of problems with samples and the admin
>>     console.
>>      >
>>      > Apps must insure they return appropriate content to clients. I
>>     don't see
>>      > how a container could provide general XSS protection... I'm sure
>>     there
>>      > are people who know much more than I on the topic...
>>      >
>>      > --kevan

View raw message