Skip this post right now if you’re not interested in details interesting only to web application security geeks. Don’t complain, I warned you.There’s a lot of wrong ways you can try to secure a web application while still allowing content from users. It’s a surprisingly difficult thing to do, and any time a non-security programmer tries to do it, they’re almost guaranteed to fail the first few times unless the content they’re trying to protect is extremely well-formed (IE: filter out everything but hyphens, periods, and alpha numeric from a “name” field). The more you try to allow users to insert their own filtered HTML, the harder the problem is.So hard, apparently, that it’s easy to over-react. Take a look at what apple did on their search page:
http://www.apple.com/search/?q=applescript
Feel free to test manually by going to apple.com and searching for applescript. An overzealous filter makes it impossible to accomplish a legitimate task. Whoops. The funny thing is that they don’t filter out “embed” or “object” as you’d usually expect to see along with “script”. Of course, it looks like the page itself is generating most of the content via javascript. If I were a betting man, I’d put money on a DOM based XSS showing up on sla.ckers.org before too long. ;-)
[...] Weins post about the exact problem with offensive defense systems on his blog How Not to protect your webap. Great job Apple, the word “script” is so evil I can’t do a search for applescript. [...]
Left by Apple blocks the word script | Grumpy Security Guy on November 19th, 2007
For me the funny part is that searching for apples%43ript does the search as applesCript and works fine.
Kevin
Left by Kevin Johnson on November 19th, 2007
Hah! Good point — at least that lets folks who are silly enough to actually want to look for information about applescript search apple.com for it.
Left by Jordan on November 19th, 2007
Haha - awesome!
On a related note the website you mentioned (sla.cker / ha.cker) triggered a danger - hacking website warning from the “Trend Micro Pc-CillinInternet security 07″ software on the PC I’m using at my uncle’s place - but did have some interesting info, especially on google not fixing disclosed vulnerabilities very well… maybe I shouldn’t give them every byte of data I own?
Happy Thanksgiving!!
Left by Forgen on November 20th, 2007
How Not to Update Your Weblog
Left by Colin on December 9th, 2007