| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by aban 3465 days ago

I wrote a long reply, but ended up erasing it and I'll just say that many of these vulnerabilities are due to the programmer using one type (i.e. string) to represent all kinds of data that might be malicious and unsanitized, and then losing track of whether a piece of data is safe for use (e.g. to be sent to DB) or not.

I recommend checking out the Yesod web framework [0], which leverages Haskell's strong type system to provide type-safety and a whole range of nice guarantees, including preventing vulnerabilities like the ones you mentioned.

Spock [1] is another cool web framework also written in Haskell that looks quite promising.

[0]: http://www.yesodweb.com/page/about

[1]: https://www.spock.li

1 comments

iopq 3464 days ago

Yesod doesn't prevent all of them. You can use "javascript:" to still do XSS, last time I checked. This is because that kind of content is valid in HTML... but maybe not what you wanted to happen

link

petilon 3464 days ago

Content Security Policy headers can be used to prevent XSS attacks. Caveats are, user must be using a modern browser, and you have to move all inline scripts out to a .js file. Read more here: http://content-security-policy.com/

link

paulddraper 3463 days ago

I don't see why javascript: is fundamentally different than other XSS vectors

link

iopq 3463 days ago

because for other types of injections Yesod WILL actually properly encode <script> tags and make them <script> which will prevent SOME XSS exploits

but it doesn't prevent all of them

link

aban 3462 days ago

This is not true, at least not anymore.

Yesod uses xss-sanitize [0], and their sanitize function does indeed prevent "javascript:" attempts. They even have a test case for it [1].

Playing around with it in the REPL:

  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=javascript:alert('XSS')>"
  "<img>"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"javascript:alert('XSS')\">"
  "<img>"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=fine>"
  "<img src=\"fine\">"
  Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"this is ok too\">"
  "<img src=\"this is ok too\">"

[0]: https://hackage.haskell.org/package/xss-sanitize

[1]: https://github.com/yesodweb/haskell-xss-sanitize/blob/9a9101...

link