XSS vulnerabilities besides cookie stealing
Posted: Sun Apr 16, 2006 5:43 pm
Hi,
I'm hoping some security gurus can help me out here.
I'm creating a site where the users must be able to completely customize their site with html, javascript, and css. That's a lot to ask, security-wise.
First off, giving each user their own subdomain isn't feasible. I do have an SSL certificate for this domain, however. Thus, my current security method is to force all important authenticating or authentication-required pages to be accessed via the SSL link. All customizable pages are required to be viewed on non-secured links.
When they signin, I set two cookies:
- MAC'd preferences cookie (basically username and timezone)
- MAC'd session SSL-only cookie
Any javascript on a site can only access the MAC'd preferences cookie*. If some javascript messes with it, then it is reset the next time the cookie owner visits a secured page. If the javascript steals the cookie, then all the hacker has is a preferences cookie and can't do much of anything.
Assuming all output on the SSL'd pages is very carefully filtered and escaped, is there anything that can go wrong with this setup? Can they do anything else with javascript that I should be worried about (or that they couldn't do if they weren't on the same domain)?
- Nathaniel
*Tested on FF 1.5 and IE6
I'm hoping some security gurus can help me out here.
I'm creating a site where the users must be able to completely customize their site with html, javascript, and css. That's a lot to ask, security-wise.
First off, giving each user their own subdomain isn't feasible. I do have an SSL certificate for this domain, however. Thus, my current security method is to force all important authenticating or authentication-required pages to be accessed via the SSL link. All customizable pages are required to be viewed on non-secured links.
When they signin, I set two cookies:
- MAC'd preferences cookie (basically username and timezone)
- MAC'd session SSL-only cookie
Any javascript on a site can only access the MAC'd preferences cookie*. If some javascript messes with it, then it is reset the next time the cookie owner visits a secured page. If the javascript steals the cookie, then all the hacker has is a preferences cookie and can't do much of anything.
Assuming all output on the SSL'd pages is very carefully filtered and escaped, is there anything that can go wrong with this setup? Can they do anything else with javascript that I should be worried about (or that they couldn't do if they weren't on the same domain)?
- Nathaniel
*Tested on FF 1.5 and IE6