insane in the iframe -- the case for client-side html sanitization
DESCRIPTION
Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.TRANSCRIPT
David RossPrincipal Software Security EngineerTrustworthy Computing SecurityMicrosoft
@NealPoolehttps://t.co/5omk5ec2UD
@kkotowicz@NealPoole @adam_baldwin
difficult
• No independent parsing / context handling
everything else
document.implementation.createHTMLDocument
document.createTreeWalker
3. Remove elements / attributes / etc. not explicitly allowed*
* Old (less-performant) approach:Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk
document.implementation.createHTMLDocument
Must never run script
setAttribute
promises / deferreds
[Demo] [Benchmark]
Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)
Mario Heiderich @0x6D6172696FJSAgents / IceShield
Gareth Heyes @garethheyesJSLR
Ben LivshitsLoris D’Antoni
FAST
Caja HTML sanitizer
Stefano Di Paola Eduardo ‘Sirdarckcat’ Vela N.
I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 comments share