http://qs1969.pair.com?node_id=206806


in reply to Re: Filtering potentially dangerous URI schemas in <a href="...">
in thread Filtering potentially dangerous URI schemas in <a href="...">

I strongly agree that allowing users to post javascript is a reckless oversight that should be remedied as soon as possible. Like all other websites, Perlmonks is subject to the same security issues that affect public sites. You can not trust user input, and can not afford to allow users to acces programming APIs unless you clearly and prominently describe the risk to all users.

That perlmonks allows JS in posts troubles me quite a bit. I am not comfortable being exposed to abuse by a users of a web application, no matter how good the intent is which brought about the exposure.

Exposing perlmonks to cross-site scripting hacking by allowing javascript is a real oversight and it is incomprehensible to me that non-trusted users are allowed to post JS at all.

The sad fact of the matter is that JS is a permanent part of most web browsing experiences.

I would be very much happier if all user-generated JS was reaped from all pages, and JS candy was simply banned.

Don't we routinely lambaste Microsoft for doing similar unfortunate things with their products?

Why is it ok for us to put out features because they are cool without considering the consequences on the general population?

About petrucio's password hash hack... It is not so bad because it only shows the encrypted pwd and can only access cookies related to Perlmonks. With current JS security, I believe that unless you send email messages, you can only talk to the server the page came from. But nevertheless, JS can really mess up pages (through DOM manipulations for example)

I propose that it would be better if scriptign commands were reaped unless held within <code /> tags.

hackmare.
roasp.com

Replies are listed 'Best First'.
Re(3): Filtering potentially dangerous URI schemas in <a href="...">
by Dog and Pony (Priest) on Oct 21, 2002 at 15:03 UTC
    About petrucio's password hash hack... It is not so bad because it only shows the encrypted pwd and can only access cookies related to Perlmonks. With current JS security, I believe that unless you send email messages, you can only talk to the server the page came from.
    If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.

    I'm not sure what is allowed nowadays in scripts on home nodes, and I didn't go check the script in question (I'm pretty sure Petruchio is *not* sending it anywhere anyways) but the above should be true unless someone actually took a lot of time parsing and allowing certain js commands and not others. :)


    You have moved into a dark place.
    It is pitch black. You are likely to be eaten by a grue.

      I think that you will find that while possible to break an encrypted cookie eventually, it is by no means a trivial task.

      If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.

      Most Javascript cookies are encrypted at the server using (most likely) an MD5 salt. The ones that are not usually end up serving as a lesson to others about security and web application architecture embarassement.

      Here is my password per Petrucio's site...

      userpass=hackmare%257ChaY8je3nfzM7s%257C

      I invite you to log into my account and send me a message telling me you did it.


      Update by Dog and Pony: I can do better than that. I am very sorry for this intrusion, but what better way to prove my point? After all, you invited me into your account. And no, I will not tell you how I did it. Just suffice to say that encryption does not matter in this case. I'd really advice you to change your password fast. I could do it for you, but that wouldn't really help, now would it? :)



      Update by hackmare: Very well done, dog_and_pony. I am clearly wrong and misinformed.
      I would very much appreciate a primer on where my understanding of cookie security is wrong.
      Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?

      Please reply in another post rather than in mine. And no offense taken for your demonstration.


      While not impossible, it is much too difficult to do for the vast majority of hackers. If it was not the case, there would be no such thing as cookies or secure web apps. I seriously doubt anyone without a crypto background can do it.

      But this does not change the fact that exposing all of us to the risks of cross-site scripting is a Very Bad Thing for us and for PerlMonks's reputation if there is any problem

      hackmare.

        I would very much appreciate a primer on where my understanding of cookie security is wrong. Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?
        Actually, it is none of this. I am sure the password is encrypted and I do not know now what it is/was. I know nothing about the server, much less any salt and have no access to such information. I did not use any tools besides a browser. And the only thing I got was the string you provided me with.

        What you missed about cookie security is simply this: if you browser needs certain information to remember you and keep you logged in, then my browser can use the same information to log me in as you.

        This is why user supplied javascript is insecure on a site like this, because I can get that information about you and send it to me. Javascript is generally not insecure in this way, and even though I rarely use them, I do not disapprove of js as such - used right, it is fine. What we have here is the unlucky combination of user supplied javascript that is not filtered and a login that doesn't time you out or take other measures to ensure that you are you. So generally, such as warning as Petruchio's is also uncalled for, it is only valid for this site and other sites that allow this. Keep js on for any other place if you want. :)

        I do not wish to change the login and cookie thingy - it is fine if we just remove the scripts. And it is safe in other ways, meaning that it is as hard or harder to simply guess your cookie without information as it is guessing your password in the first place.


        You have moved into a dark place.
        It is pitch black. You are likely to be eaten by a grue.
        I apologize for doing the above. I do not usually do stuff like that, and will not do it again. But since I really want this to be impossible to do on this and on any site, I gave this demonstration. All I needed was the above info. Now, could we please ban javascript from this site?
        You have moved into a dark place.
        It is pitch black. You are likely to be eaten by a grue.

        By the way, just to make the point, it's very easy to crack hashed passwords. This password was hashed using DES (not MD5, which is harder), and took a mere 21 hours to crack. msg me if you really don't believe me that I got it.

        But it doesn't matter how long it take to crack passwords. Since it involves NO manual effort, I could have left it running for weeks, until it eventually cracked. Saying "it's too difficult to do for the vast majority of hackers", is just plain wrong. It's very very very simple to do.

        That's why you never want your hashed passwords reveiled. Aside from the fact, as dog an pony showed, that sometimes you don't need to crack the hash in order to use it. Also, do you really keep seperate passwords on each site you go to? A lot of people don't.

        -- Dan