<<< Date Index >>>     <<< Thread Index >>>

Re: DarkStarlings.com XSS Vulnerability



While the site does not intensively scrub javascript that is input by the user, 
XSS vulnerabilities are not a concern.

The worst case scenario (and really only important scenario) is that of a 
malicious party using javascript to capture cookie information from a user of 
the site and then using that information to falsely authenticate under the 
user's account (or to put it garishly, using XSS to "hack" other member's 
accounts).  

Even though an XSS enthusiast of intermediate skill should have little trouble 
extracting user cookie information on the site using cleverly disguised 
redirects, the information obtained would be entirely useless.

Not only is the cookie password information hashed with multiple, complex, 
salted algorithms, it is hashed with unique information (a unique salt that 
depends upon some network information) that makes using the hashed password to 
forge a cookie impossible.  That is, User A and User B, connecting from 
different locations but using the same username and password, will have 
different password hashes.  If User B tries to use User A's password hash, 
authentication will fail.

Given that, I have elected not to pursue heavy scrubbing of javascript on my 
site.  

Why?

I could just as easily disabled the use of javascript site wide, but I wanted 
to allow members of our community to be more free to use it for various 
(benign) purposes.  Instead of letting a few bad apples ruin the party for 
everyone, I've carefully considered the consequences of attempted XSS exploits 
using javascript on my site and have produced solutions to keep everyone's 
experience on DarkStarlings as secure as possible.