XSS: Flash and Rails
Date : 2008 01 10 Category : Tech & Development
AjaxianA couple of good articles on XSS and security came out at the same time. One talks about XSS in Flash, and the other on Rails:
XSS Vulnerabilities in Common Shockwave Flash Files
Rich Cannings has written an article explaining the issue of XSS wrt Flash:
Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).
This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.
Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.
He talks through tools that cause the issue, and then solutions on how to keep yourself safe.
Stu Halloway of Relevance has written about SafeErb and how he got it working on a Rails 2.0 application. He kept notes as he went through the experience, allowing us to learn from his acts.
What is SafeErb?
Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.
The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.