From jiri@iptel.org Thu Oct 18 00:02:56 2007 From: Jiri Kuthan To: sr-users@lists.kamailio.org Subject: Re: [OpenSER-Users] sanitizing sip requests Date: Thu, 18 Oct 2007 00:11:00 +0200 Message-ID: <20071017221155.0F9B81810C52@mail.iptel.org> In-Reply-To: <471634B2.10408@employees.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1098527187==" --===============1098527187== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable At 18:13 17/10/2007, William Quan wrote: >Hi all, >I came across a security alert that basically embeds javascript in the >display name of the From to initiate cross-site-scripting (XSS) attacks. >Here is an example: > >From: """user" >>;tag=3D002a000c > > >Grammatically , I don't see an issue with this. However, under the right >circumstances this could get ugly. >Do you see value in having openser take a proactive role to detect these >and reject calls? Or is this outside the scope of what a proxy should >be doing (leave it to the UA to sanitize) ? We have been thinking hard of this in the SER community. My 2 cents are that = sanitizing in the proxy is of limited impact. The trouble is that it is not just JavaScript, it can be literally any application in any language, which is tunneled some crafted data through SIP. The SIP proxy can be tought to detect JavaScript but who knows what is going to come next. Thus I think that JAva-Script enabled apps should test SER-produced data for Java-script data, and XYZ-apps should test SER-produced data for XYZ-script data. As an example, the latest serweb version, which uses JavaScript, is resistant against such JavaScript attacks. -jiri >Looking to get your thoughts- >-will > >_______________________________________________ >Users mailing list >Users(a)openser.org >http://openser.org/cgi-bin/mailman/listinfo/users -- Jiri Kuthan http://iptel.org/~jiri/ --===============1098527187==--