Wednesday, November 28, 2007

Introducing AntiSamy

Creating a cross-site scripting filter that allows user-submitted HTML/CSS to pass through, but does not allow malicious content through (usually coded in JavaScript), is a lot like writing your own encryption algorithm. It’s not something that you should be building yourself because it’s extremely easy to make mistakes and it takes an army of smart people scrutinizing it before its considered trustworthy. The difference is there hasn’t been an alternative to rolling your own so far. That’s why each Web Mail provider, social network, and blogging platform has their own implementation, which gets broken almost routinely. The MySpace Worm written by Samy is a prime example of how these filters can fail in spectacular fashion, which is where the AntiSamy project comes in.

The OWASP AntiSamy Project, developed by Arshan Dabirsiaghi, is an effort to create an open source (BSD Licensed) API that’ll allow user-submitted HTML/CSS, but severely limit the potential for malicious content (JavaScript) to get through. XML Policy files are created for what a user is allowed to submit which can either extends functionality or limit the attack surface. Samples eBay, MySpace, and Slashdot already created to use as a guide. Arshan was good enough to set up a live demo website of AntiSamy so people can play around with the various filter policies and test if they can be bypassed. Of course Arshan also needs help to make sure the API has enough usability so the average user can do what they need to.

Personally I think this is a fantastic project and something that could really take off usage wise - especially if versions are ported beyond Java to .Net and PHP. A lot of developers, who are aware of the dangers of XSS, are building more and more web applications that expect to take in dynamic user-supplied content (Web 2.0). This will give them an easy option to do so safely and securely. Excellent work Arshan!

9 comments:

Arshan Dabirsiaghi said...

Watch out for a new line of "Samy is my hero" / "Arshan is my nemesis" t-shirts

Jeremiah Grossman said...

That kind of summarized the infosec culture doesn't it? :)

Arshan Dabirsiaghi said...

Maybe, but it's weird - I always thought of myself as the nemesis for different reasons. There should be a challenge on your site, who can summarize the infosec culture the bes t in 1 sentence. I want to have a while to think before I put in my entry. ;p

Alex said...

Sounds like something similar to PHPIDS (www.phpids.org). PHPIDS does not work like a filter, but it can inform the application about the performed attack. If PHPIDS starts claiming about something at - let's say - a specified level, you can drop the whole data/string/request/...

Arshan said...

Alex: though some people may find that useful, this is nothing like that. Go check out the project - I need some smart PHP to help out!

Jim Manico said...

You definitely got my interest, Arshan. Good job. I'm going to be keeping an eye on this for use at some of my SUN/CodeMagi projects once it reaches maturity. I also believe this as has the potential to reach widespread use. Most XSS guidelines I have read completely ignore the fact that many modern sites need to accept and *render* markup code provided my a user, safely. This is the first large OSS project to address this critical need. Schweet!

kuza55 said...

"The difference is there hasn’t been an alternative to rolling your own so far."

Actually, HTML Purifier (http://htmlpurifier.org/) has been in existance for a while now, and I don't know of anything that has managed to bypass it yet. But its for PHP, rather than Java.

Jim Manico said...

kuza55, htmlpurifier? php security? *cough, cough*

Um, the greatest feature of AntiSammy is that it's for Java. PHP and security do not belong in the same sentence unless you are discussing just how in_secure PHP is at its core.

Anonymous said...

What about cross site scripting filtering for user HTML/CSS in classic ASP? Antisamy .NET and java can not be implemented there :(