> The problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the application name is the issue.
With programmers being human, there's a lot to be said for the framework providing a secure default. Even so, it's surprising how often this particular mistake occurs.
You seriously think developers will manually HTML encode every time user input is rendered in the response? It's not just HTML they have to worry about, but Javascript, URL, HTML attributes, etc. If the framework doesn't automatically do it, nobody does it. That is, until they get hit by XSS.
Depends on what you mean by "framework". I would interpret that as "the language in which you write your application", and in that case a language that treats text and HTML as different datatypes does provide more security.
Rails' conflation of these types guarantees that whatever the default for escaping, there will be bugs in applications written in/on rails.
Why can't Twitter get its shit together? When Facebook faces those kind of problems, they iron them out in a blink of an eye. Scaling problems? No problem, I don't think I've ever experienced Facebook going down in the past 4-5 years!
How can a top-10 Alexa site such as Twitter continually entertain users with hours of downtime every week? What about escaping input? This is below web dev 101 for god's sake.
Twitter sure does have issues with stuff like this. I noticed a while back that they were double encoding some strings on output, too - I had an ampersand in my location and it was showing as & on the page.
None of the code looks malicious, but I would suggest that if you have a Twitter account and/or are logged into it, don't visit the page because he might be stealing cookies.
"appears to be due to a lack of input validation of the application name field"
They should just be sure that they _render_ the application name field appropriately. Angle brackets should be escaped, minimally. It's really not so difficult, Ruby does it with three calls to gsub:
http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.h...
18 comments
[ 4.0 ms ] story [ 47.4 ms ] thread[1] http://www.davidnaylor.co.uk/massive-twitter-cross-site-scri...
> The problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the application name is the issue.
Either way, XSS sucks. Surprised that they haven't plugged this one yet.
Rails 3 changes this by always html escaping strings.
Rails' conflation of these types guarantees that whatever the default for escaping, there will be bugs in applications written in/on rails.
How can a top-10 Alexa site such as Twitter continually entertain users with hours of downtime every week? What about escaping input? This is below web dev 101 for god's sake.
They should just be sure that they _render_ the application name field appropriately. Angle brackets should be escaped, minimally. It's really not so difficult, Ruby does it with three calls to gsub: http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.h...
I'm curious what people here think of that idea, ie, preventing string injection attacks at the language level.