Hive Asks You to Upload Javascript
There’s a pretty interesting writeup on Tod Allen’s website about how Hive is vulnerable to XSS. The interesting part to me was how the site actually asked the user to upload code. Ahhh, the information age. Upload whatever you want! The sky is the limit! Of course that policy has risks like credential theft, phishing, cross site request forgeries, etc… Same old story, different site.
Again, there’s that interesting trade off of which sites are useful to people and which sites are secure. If the customers demand to be able to upload JavaScript, we have a big problem. Over the last few days that thread on sla.ckers.org has been brewing on how to allow full HTML with all it’s features without allowing JavaScript. But let’s take that problem one step further and allow JavaScript but no XSS. There’s a real problem for you.
January 25th, 2007 at 2:40 pm
In this particular case it certainly needs an own scripting language. Instead of allowing people to upload plain JavaScript, define a JavaScript-like language that will only expose a few objects. And then use a JavaScript-based interpreter to run this scripting language - there are solutions this could be based on, e.g. Narcissus. I mean, what do you want with browser’s objects in a chat anyways? I looked at their scripts, they always call into the Hive API, nothing else. It is mostly animations and other manipulation of virtual objects. But I guess building an own interpreter was too complicated, making XSS a feature is by far an easier solution.
January 25th, 2007 at 3:14 pm
The trouble is as soon as you throw enough features in, it becomes Turing complete and impossible to audit using a machine (you could always limit execution time, but that has problems too).