Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hi - my pet project - server side CSP output filter
Posted by: FunkyRes
Date: March 13, 2009 02:42PM

My first post so I'll intro myself a little bit.
I'm not a web designer/coder. I've dabbled in php for years but this is my first real project other than simple display.

The project is inspired by
http://people.mozilla.org/~bsterne/content-security-policy/

My goal is to implement it server side through a class that acts as a post filter.
Obviously it is not going to be as good as a real browser based CSP solution because a policy allowed script could modify the DOM to add stuff the policy would reject, and there's no way to catch that server side.

But I hope my output filter will eventually be good enough to catch and remove anything in the sent document that would trigger CSP on a CSP enabled client.

Here's the current version of the class file:

http://homepage.mac.com/mpeters/misc/cspfilter_class.php.txt

It does require that the document be fully created and in a DOMDocument object (use DOMDocument's loadHTML() for well formed html, use loadXHM() for well formed xhtml)

basic usage - where $foo is your DOMDocument object

this example assumes you want to allow images, script, and object tags

$bar = new cspfilter;
$bar->httphost = "www.example.net";
$bar->csp['allow']      = "none"; // that's default but not bad idea to explicitly state
$bar->csp['img-src']    = "images.example.net *.photobucket.com";
$bar->csp['script-src'] = "scripts.example.net";
$bar->csp['object-src'] = "self";
$bar->inputDom($foo);
$bar->processData();
// defaults to false which creates meta tag instead of header
$bar->cspHeader = true;
$bar->makeCSP(); // sends the header or adds meta tag to document head

// now we've sent the CSP header - send the page

print $foo->saveHTML(); // use saveXML() for xhtml

I've done a little testing of the class on my own project that I'm building, but I have not tested it heavily.
I'm going out of town this weekend, but when I get back I hope to create a test case page that let's anyone select what csp options they want to enforce (and specify what hosts to allow), enter raw html into a textarea, and submit it - with the raw html being placed in a div under the textarea. I'll obviously have to do a little input filtering in order to ensure the raw html is valid and can be imported into the DOM object, but anyway - that playground to find bugs may take a little while.

However, since I'm neither a php coder by trade nor an expert security, I would really appreciate any feedback possible on the class.

One thing to note - I believe the current CSP recommendation wants no event attributes at all. My output filter does allow white listing of event handlers, but it does not allow arguments in function (IE if you whitelist onload, <body onload="alert('foo');"> would be filtered to <body onload="alert();">

For my web app I'm building, I really do need onload, onchange, and onsubmit. Yes, the webapp works w/o scripting but the user experience with the scripting.

-=-

I know requiring the html to be fully constructed before a line of it is sent will mean many existing project would not be able to use the filter, but it seems quite a few templating systems do just that - so loadHTML() is all it would take to prepare the output for the output filter.

Again, I appreciate any and all feedback. I've learned a lot from Rsnake's blog and I've learned a lot from reading this forum.

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: Gareth Heyes
Date: March 13, 2009 02:48PM

I guess my suggestion would be to create a demo page with a input and output box. Then we can test it, yes we can look at the source but it's easier and less time consuming to test a demo page.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 03/13/2009 03:17PM by Gareth Heyes.

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: FunkyRes
Date: March 13, 2009 02:57PM

Yes, I plan to create a demo page that even lets the user specify the policy.
I'll have to do that after this weekend though.

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: FunkyRes
Date: March 13, 2009 08:47PM

Here's a test page with (hopefully) all the trimmings:

http://www.clfsrpm.net/xss/dom_script_test.php

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: FunkyRes
Date: March 29, 2009 06:48AM

Anyone?
I suspect it still has bugs but I squashed a bunch that I found.

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: Gareth Heyes
Date: March 29, 2009 10:35AM

<div style="xss:expression(alert(1))">test</div>

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/29/2009 10:38AM by Gareth Heyes.

Options: ReplyQuote
Re: Hi - my pet project - server side CSP output filter
Posted by: Anonymous User
Date: March 29, 2009 12:25PM

<form id=document><input id=cookie>
<label style=display:block;height:10em for=submit>

Not sure if you want to cover those things too...

Options: ReplyQuote


Sorry, only registered users may post in this forum.