From cs@unc.edu Thu Oct 18 00:19:40 2007
From: Christian Schlatter <cs@unc.edu>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Wed, 17 Oct 2007 18:27:16 -0400
Message-ID: <47168C44.7020103@unc.edu>
In-Reply-To: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1112021295=="

--===============1112021295==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

William Quan wrote:
> Hi all,
> I came across a security alert that basically embeds javascript in the
> display name of the From to initiate cross-site-scripting (XSS) attacks.
> Here is an example:
>=20
> From: "<script>alert('hack')</script>""user"
> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-di=
sclosure>>;tag=3D002a000c
>=20
>=20
> Grammatically , I don't see an issue with this. However, under the right
> circumstances this could get ugly.
> Do you see value in having openser take a proactive role to detect these
> and reject calls?  Or is this outside the scope of what a proxy should
> be doing (leave it to the UA to sanitize) ?

I think it should be left to the UA. It would be very difficult to come=20
up with good sanitizing rules, and they would get out of data very=20
quickly. Maybe an openser sanitizer module that would download SIP=20
attack signatures would make sense.

/Christian


>=20
> Looking to get your thoughts-
> -will
>=20
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users



--===============1112021295==--