[Tizen Application-dev] A simple SMS Reader App

Guilherme Íscaro iscaro at profusion.mobi
Sat Apr 14 21:52:42 GMT 2012


Hello Dean,

Actually I'm very happy with your comments, specially about the potential
hazard of my App. I will make the correction that you suggested on Monday.
>From now on, I will have in mind this issue about xss.
Do you mind if I mention you in my blog?

Thank you very much for you review!

On Fri, Apr 13, 2012 at 7:28 PM, Pierce, Dean E <dean.e.pierce at intel.com>wrote:

> First of, that article is awesome :-D  It's super easy to read,
> understand, and go through.  It was actually the first time I broke
> out the SDK and got something real done, and you stepped through
> everything at just the right pace.  I can't thank you enough for
> writing it.
>
> There is a really huge problem though.
>
> Try sending a text message with the text of
> "<script>alert('yay!')</script>".  I'm not sure how familiar you are
> with xss, but this is a modern day example, and when xss is run in
> webruntimes, the potential threat is a lot more extreme than you might
> realize.  What it does is give an attacker complete control of your
> app, giving it all the permissions offered in the config.xml, the
> ability to attack other apps on the system, and assuming there is a
> bug or two in webkit (or any of the native components the js can
> touch), the attacker has the ability to break out of the wrt entirely.
> (Remember a couple weeks ago when someone was asking for shell access
> via javascript?  This is exactly the reason why I strongly objected)
>
> In this particular case, the bug is in main.js
> http://git.profusion.mobi/cgit.cgi/iscaro/FirstApp/tree/js/main.js
>
> ** everyone follow along, this is really important **
>
> In seeMessageContent(), you have this message_thread, and at some
> point, you start using append() to write html directly into the
> object.  The problem here is that you sending in
> message[i].body.plainBody, which is a string that is controlled by
> someone outside of your domain (the person who sent you the txt).
> They can now write directly into your dom, including the addition of
> <script> tags.
>
> I just have a passing understanding of this particular technology, but
> my solution (stolen from
> http://stackoverflow.com/questions/1219860/javascript-jquery-html-encoding
> )
> was to wrap the string in
>
> $('<div/>').text( scary_string_here ).html();
>
> so it ended up looking like
>
> $('<div/>').text( message[i].body.plainBody ).html()
>
> I am actually giving a talk on exactly these issues at the tizen
> conference in a couple weeks.  To do this right *every single string*
> that is sourced from some other domain must be *properly* filtered.  I
> predict that these types of attacks will be used in nearly all
> exploitation of tizen devices in the wild.  This is the way our
> development process is designed, and it makes it painfully easy to
> fall into this trap.
>
> The most important message from me is that these are not developer
> problems.  These are SDK and API problems.  Developers should not be
> able to make mistakes like this.  We should be enforcing proper usage
> of widgets for all UI styling and manipulation.  Then we can make sure
> we filter properly at the widget level (setText() vs setHTML() etc).
> The API also should be guiding users towards the right way of doing
> things, and yelling at developers when they make mistakes like that,
> though I understand that detecting that sort of thing is a non-trivial
> problem.
>
> Guilherme, thanks again for your awesome article.  I know that the app
> is just a simple proof of concept, and not intended for worldwide
> deployment, so I hope you aren't offended by anything I said.  Your
> article is the clearest tutorial I have seen so far, so it is highly
> likely that it will get a ton of views, and copy/pasted infinitely
> into the future.  As such, could you please make sure you escape that
> data in your code in the post, and in the repo?  Also, at the proper
> point in the article, could you write a little blurb about the
> importance of filtering any foreign data before placing it into the
> dom?  Hopefully that will implant something in your reader's minds
> that there is danger lurking, and devs need to be extremely careful
> with injecting strings directly into the dom.  Thanks :-)
>
>   - DEAN
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tizen.org/pipermail/application-dev/attachments/20120414/36729de8/attachment.html>


More information about the Application-dev mailing list