[OpenSER-Users] sanitizing sip requests

Christian Schlatter cs at unc.edu
Thu Oct 18 00:27:16 CEST 2007


William Quan wrote:
> Hi all,
> I came across a security alert that basically embeds javascript in the
> display name of the From to initiate cross-site-scripting (XSS) attacks.
> Here is an example:
> 
> From: "<script>alert('hack')</script>""user"
> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c
> 
> 
> Grammatically , I don't see an issue with this. However, under the right
> circumstances this could get ugly.
> Do you see value in having openser take a proactive role to detect these
> and reject calls?  Or is this outside the scope of what a proxy should
> be doing (leave it to the UA to sanitize) ?

I think it should be left to the UA. It would be very difficult to come 
up with good sanitizing rules, and they would get out of data very 
quickly. Maybe an openser sanitizer module that would download SIP 
attack signatures would make sense.

/Christian


> 
> Looking to get your thoughts-
> -will
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users





More information about the sr-users mailing list