Skip to content

Commit

Permalink
[e] (0) Add a section with some authoring advice from a security pers…
Browse files Browse the repository at this point in the history 
…pective. This is just a first draft; please feel free to suggest additional material.

git-svn-id: http://svn.whatwg.org/webapps@6346 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
@Hixie
Hixie committed Aug 2, 2011
1 parent dd645f3 commit d3b3d8c
Show file tree
Hide file tree
Showing 3 changed files with 359 additions and 4 deletions.
120 changes: 118 additions & 2 deletions complete.html
View file
Expand Up @@ -296,7 +296,9 @@ <h2 class="no-num no-toc" id=contents>Table of contents</h2>
<ol>
<li><a href=#how-to-read-this-specification><span class=secno>1.8.1 </span>How to read this specification</a></li>
<li><a href=#typographic-conventions><span class=secno>1.8.2 </span>Typographic conventions</a></ol></li>
<li><a href=#a-quick-introduction-to-html><span class=secno>1.9 </span>A quick introduction to HTML</a></li>
<li><a href=#a-quick-introduction-to-html><span class=secno>1.9 </span>A quick introduction to HTML</a>
<ol>
<li><a href=#writing-secure-applications-with-html><span class=secno>1.9.1 </span>Writing secure applications with HTML</a></ol></li>
<li><a href=#conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</a>
<ol>
<li><a href=#presentational-markup><span class=secno>1.10.1 </span>Presentational markup</a></li>
Expand Down Expand Up @@ -2135,7 +2137,120 @@ <h3 id=a-quick-introduction-to-html><span class=secno>1.9 </span>A quick introdu
understand at first.</p>


<h3 id=conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</h3>
<h4 id=writing-secure-applications-with-html><span class=secno>1.9.1 </span>Writing secure applications with HTML</h4>

<p><i>This section is non-normative.</i></p>

<p>When HTML is used to create interactive sites, care needs to be
taken to avoid introducing vulnerabilities through which attackers
can compromise the integrity of the site itself or of the site's
users.</p>

<p>A comprehensive study of this matter is beyond the scope of this
document, and authors are strongly encouraged to study the matter in
more detail. However, this section attempts to provide a quick
introduction to some common pitfalls in HTML application
development.</p>

<p>The security model of the Web is based on the concept of
"origins", and correspondingly many of the potential attacks on the
Web involve cross-origin actions. <a href=#refsORIGIN>[ORIGIN]</a></p>

<dl><dt>Not validating user input</dt>
<dt>Cross-site scripting (XSS)</dt>
<dt>SQL injection</dt>

<dd>

<p>When accepting untrusted input, e.g. user-generated content
such as text comments, values in URL parameters, messages from
third-party sites, etc, it is imperative that the data be
validated before use, and properly escaped when displayed. Failing
to do this can allow an hostile user to perform a variety of
attacks, ranging from the potentially benign, such as providing
bogus user information like a negative age, to the serious, such
as running scripts every time a user looks at a page that includes
the information, potentially propagating the attack in the
process, to the catastrophic, such as deleting all data in the
server.</p>

<div class=example>

<p>For example, suppose a page looked at its URL's query string
to determine what to display, and the site then redirected the
user to that page to display a message, as in:</p>

<pre>&lt;ul&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Hello"&gt;Say Hello&lt;/a&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Welcome"&gt;Say Welcome&lt;/a&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Kittens"&gt;Say Kittens&lt;/a&gt;
&lt;/ul&gt;&lt;/pre&gt;

<p>If the message was just displayed to the user without
escaping, a hostile attacker could then craft a URL that
contained a script element:</p>

<pre>http://example.com/message.cgi?say=%3Cscript%3Ealert%28%27Oh%20no%21%27%29%3C/script%3E</pre>

<p>If the attacker then convinced a victim user to visit this
page, a script of the attacker's choosing would run on the page.
Such a script could do any number of hostile actions, limited
only by what the site offers: if the site is an e-commerce shop,
for instance, such a script could cause the user to unknowingly
make arbitrarily many unwanted purchases.</p>

<p>This is called a cross-site scripting attack.</p>

</pre></div>

</dd>


<dt>Cross-site request forgery (CSRF)</dt>

<dd>

<p>If a site allows a user to make form submissions with
user-specific side-effects, for example posting messages on a
forum under the user's name, making purchases, or applying for a
passport, it is important to verify that the request was made by
the user intentionally, rather than by another site tricking the
user into making the request unknowingly.</p>

<p>This problem exists because HTML forms can be submitted to
other origins.</p>

<p>Sites can prevent such attacks by populating forms with
user-specific hidden tokens, or by checking <code title=http-origin>Origin</code> headers on all requests.</p>

</dd>



<dt>Clickjacking</dt>

<dd>

<p>A page that provides users with an interface to perform actions
that the user might not wish to perform needs to be designed so as
to avoid the possibility that users can be tricked into activating
the interface.</p>

<p>One way that a user could be so tricked is if a hostile site
places the victim site in a small <code><a href=#the-iframe-element>iframe</a></code> and then
convinces the user to click, for instance by having the user play
a reaction game. Once the user is playing the game, the hostile
site can quickly position the iframe under the mouse cursor just
as the user is about to click, thus tricking the user into
clicking the victim site's interface.</p>

<p>To avoid this, sites that do not expect to be used in frames
are encouraged to only enable their interface if they detect that
they are not in a frame (e.g. by comparing the <code title=dom-window><a href=#dom-window>window</a></code> object to the value of the <code title=dom-top><a href=#dom-top>top</a></code> attribute).</p>

</dd>

</dl><h3 id=conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</h3>

<p><i>This section is non-normative.</i></p>

Expand Down Expand Up @@ -101265,6 +101380,7 @@ <h3 class="no-num">Reflecting IDL attributes</h3>
Philip J&auml;genstedt,
Philip Taylor,
Philip TAYLOR<!-- a different one -->,
Philippe De Ryck,
Prateek Rungta,
Pravir Gupta,
Rachid Finge,
Expand Down
120 changes: 118 additions & 2 deletions index
View file
Expand Up @@ -296,7 +296,9 @@
<ol>
<li><a href=#how-to-read-this-specification><span class=secno>1.8.1 </span>How to read this specification</a></li>
<li><a href=#typographic-conventions><span class=secno>1.8.2 </span>Typographic conventions</a></ol></li>
<li><a href=#a-quick-introduction-to-html><span class=secno>1.9 </span>A quick introduction to HTML</a></li>
<li><a href=#a-quick-introduction-to-html><span class=secno>1.9 </span>A quick introduction to HTML</a>
<ol>
<li><a href=#writing-secure-applications-with-html><span class=secno>1.9.1 </span>Writing secure applications with HTML</a></ol></li>
<li><a href=#conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</a>
<ol>
<li><a href=#presentational-markup><span class=secno>1.10.1 </span>Presentational markup</a></li>
Expand Down Expand Up @@ -2037,7 +2039,120 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
understand at first.</p>


<h3 id=conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</h3>
<h4 id=writing-secure-applications-with-html><span class=secno>1.9.1 </span>Writing secure applications with HTML</h4>

<p><i>This section is non-normative.</i></p>

<p>When HTML is used to create interactive sites, care needs to be
taken to avoid introducing vulnerabilities through which attackers
can compromise the integrity of the site itself or of the site's
users.</p>

<p>A comprehensive study of this matter is beyond the scope of this
document, and authors are strongly encouraged to study the matter in
more detail. However, this section attempts to provide a quick
introduction to some common pitfalls in HTML application
development.</p>

<p>The security model of the Web is based on the concept of
"origins", and correspondingly many of the potential attacks on the
Web involve cross-origin actions. <a href=#refsORIGIN>[ORIGIN]</a></p>

<dl><dt>Not validating user input</dt>
<dt>Cross-site scripting (XSS)</dt>
<dt>SQL injection</dt>

<dd>

<p>When accepting untrusted input, e.g. user-generated content
such as text comments, values in URL parameters, messages from
third-party sites, etc, it is imperative that the data be
validated before use, and properly escaped when displayed. Failing
to do this can allow an hostile user to perform a variety of
attacks, ranging from the potentially benign, such as providing
bogus user information like a negative age, to the serious, such
as running scripts every time a user looks at a page that includes
the information, potentially propagating the attack in the
process, to the catastrophic, such as deleting all data in the
server.</p>

<div class=example>

<p>For example, suppose a page looked at its URL's query string
to determine what to display, and the site then redirected the
user to that page to display a message, as in:</p>

<pre>&lt;ul&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Hello"&gt;Say Hello&lt;/a&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Welcome"&gt;Say Welcome&lt;/a&gt;
&lt;li&gt;&lt;a href="message.cgi?say=Kittens"&gt;Say Kittens&lt;/a&gt;
&lt;/ul&gt;&lt;/pre&gt;

<p>If the message was just displayed to the user without
escaping, a hostile attacker could then craft a URL that
contained a script element:</p>

<pre>http://example.com/message.cgi?say=%3Cscript%3Ealert%28%27Oh%20no%21%27%29%3C/script%3E</pre>

<p>If the attacker then convinced a victim user to visit this
page, a script of the attacker's choosing would run on the page.
Such a script could do any number of hostile actions, limited
only by what the site offers: if the site is an e-commerce shop,
for instance, such a script could cause the user to unknowingly
make arbitrarily many unwanted purchases.</p>

<p>This is called a cross-site scripting attack.</p>

</pre></div>

</dd>


<dt>Cross-site request forgery (CSRF)</dt>

<dd>

<p>If a site allows a user to make form submissions with
user-specific side-effects, for example posting messages on a
forum under the user's name, making purchases, or applying for a
passport, it is important to verify that the request was made by
the user intentionally, rather than by another site tricking the
user into making the request unknowingly.</p>

<p>This problem exists because HTML forms can be submitted to
other origins.</p>

<p>Sites can prevent such attacks by populating forms with
user-specific hidden tokens, or by checking <code title=http-origin>Origin</code> headers on all requests.</p>

</dd>



<dt>Clickjacking</dt>

<dd>

<p>A page that provides users with an interface to perform actions
that the user might not wish to perform needs to be designed so as
to avoid the possibility that users can be tricked into activating
the interface.</p>

<p>One way that a user could be so tricked is if a hostile site
places the victim site in a small <code><a href=#the-iframe-element>iframe</a></code> and then
convinces the user to click, for instance by having the user play
a reaction game. Once the user is playing the game, the hostile
site can quickly position the iframe under the mouse cursor just
as the user is about to click, thus tricking the user into
clicking the victim site's interface.</p>

<p>To avoid this, sites that do not expect to be used in frames
are encouraged to only enable their interface if they detect that
they are not in a frame (e.g. by comparing the <code title=dom-window><a href=#dom-window>window</a></code> object to the value of the <code title=dom-top><a href=#dom-top>top</a></code> attribute).</p>

</dd>

</dl><h3 id=conformance-requirements-for-authors><span class=secno>1.10 </span>Conformance requirements for authors</h3>

<p><i>This section is non-normative.</i></p>

Expand Down Expand Up @@ -96995,6 +97110,7 @@ if (s = prompt('What is your name?')) {
Philip J&auml;genstedt,
Philip Taylor,
Philip TAYLOR<!-- a different one -->,
Philippe De Ryck,
Prateek Rungta,
Pravir Gupta,
Rachid Finge,
Expand Down

0 comments on commit d3b3d8c

Please sign in to comment.