The Broken Web

OSDC day 2 kicked off with Rasmus Lerdorf talking about security problems on the web. Highlights so far are:

• Pointing out the that many browser plugins are URL handlers. If you can find a bug in a plugin that handles a URL, then you can compromise users clicking on that kind of link.
• Live XSS hacking on http://www.liberal.org.au, the conference hotel’s website and a few others
• The JS-Yamanner worm.
• IE6 has some interesting problems, including:
  • in UTF-8, it interprets the character 0xE0 as the first byte of a 3 byte sequence. If you can inject an E0 into a data field and get it to redisplay on the browser, the browser will ignore the next two bytes, which may be an attribute close quote.
  • it will run Javascript source in an image tag: <img src=“http://evil.com/hack.js ”>.
• Until everyone upgrades their Acrobat plugins, it’s possible to execute arbitrary Javascript in the context of a site serving a PDF, or even the user’s local machine. The only safe way to serve PDF files is from a domain other than your own.
• Use crumbs to stop XSRF problems. A crumb is a unique piece of data put into each web form. When the user submits the form, the server should check that the crumb is the one that is expected.