Jump to content
Sign in to follow this  
midnite

Will XSL be hacked?

Recommended Posts

In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags).

 

Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop.

 

Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users.

 

As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be:

  • [*]User submits a piece of XSL code.[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the
W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)?

 

Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs?

 

Finally, if there are any other ideas/design to achieve this, any solutions are welcomed!

 

 

Thanks a lot!

Share this post


Link to post
Share on other sites

I don't do much with XML or XSL, but it seems like a weak point of that might be your test cases. There might be some XSL which will pass your test cases but would do something different with other XML data.

 

In general though, XSL is not to be trusted. People can include other XSL files from other domains or any number of other things. If you are accepting untrusted XSL and you're using it to produce output for your site, then that is definitely a security issue. There is a summary of some of the issues here:

 

http://msdn.microsoft.com/en-us/library/ms763800(v=vs.85).aspx

Share this post


Link to post
Share on other sites

I don't do much with XML or XSL, but it seems like a weak point of that might be your test cases. There might be some XSL which will pass your test cases but would do something different with other XML data. In general though, XSL is not to be trusted. People can include other XSL files from other domains or any number of other things. If you are accepting untrusted XSL and you're using it to produce output for your site, then that is definitely a security issue. There is a summary of some of the issues here: http://msdn.microsoft.com/en-us/library/ms763800(v=vs.85).aspx

Thanks @justsomeguy for providing this reminder that XSLT will cause DoS and XSS. In addition, some others also say that XSL is Turing Complete that can do anything to harm the server and scripts. In addition, I would have to avoid the Billion Laughs attack in XML too. I guess I have to modify my step (1) to:

  • [*]User submits a piece of XSL code XHTML code with my special tags - for example, I allow [for-each], [choose], [when], etc.
    • [*]As they are in fact a white-list of XSLT tags, then i validate and replace those tags with actual XSLT tags.

[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

 

For the sample test cases, I will include as many special cases as possible.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...