MySpace and the Case Against Input Scrubbing

If you haven’t heard of MySpace.com, it’s safe to say you’re not a teenager. MySpace and other social networking sites have skyrocketed in popularity recently. The site allows users to create a unique homepage and customize it by adding HTML and style sheets. Each user essentially gets to build his or her own mini-website within the MySpace environment.

This creates some interesting challenges for managing site security. While not responsible for the user content, MySpace is still obligated to protect users from each other. To accomplish this MySpace allows users to enter “safe” HTML and style sheet tags, but has to prevent “unsafe” tags to avoid attacks like cross-site scripting (XSS). Their solution has been to compile a list of every bad tag or pattern they can think of and try to “scrub” these patterns out of incoming data. So, if you tried to use a JavaScript command like this on your homepage:

<script>alert(‘xss’);</script>

MySpace would recognize the script tags in that pattern as being unsafe and remove them.

The problem with this approach is that there are a huge number of ways to get a script to run on a user’s browser and MySpace can’t keep up with them all. In fact, there have been a number of vulnerabilities reported about this very problem. These security issues will continue to crop up as long as MySpace attempts to prevent them by scrubbing bad data out of user input. In fact, Security PS has knowledge of at least two previously unknown cross-site scripting vulnerabilities on the MySpace site. We are working with MySpace to address these issues.

As our clients know, the only way to really remove assumptions about incoming data is to positively match it against a very specific pattern. MySpace should define a patterns for each HTML tag they consider safe. They could then match incoming data against these patterns and deny any input that doesn’t match the pattern for a known tag. By doing this, they will no longer have to keep up with every new attack in existence. Each new attack will be automatically denied by the data patterns. Until they do this, they will continue to fight a losing battle against attackers.

0 comments:

Post a Comment