[OpenSER-Users] sanitizing sip requests
Edson
4lists at gmail.com
Thu Oct 18 02:27:39 CEST 2007
I was thinking about this problem and I think that combining this module
idea with the ones presented by Jiri could guide to an intermediary and more
flexible one.
Any sanitization task would be processed by a dedicated module. This module
could load as many 'sanitizations descriptions' as desired. Each
'sanitization description' could be a XML file (just to give an exemple) and
would take care of an especific language or language family. It could
describe signatures, or even include language syntax and semantics checks
(who knows what is really necessary?). This way, changing/improving the
descriptions with language specific sanitization knownledge would extended
the protection without the need of logical changes on the proxy script.
For sure even if the idea is easy to understand it's implementation is not a
trivial work. But is an idea... ;)
Edson
>-----Original Message-----
>From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
>Behalf Of Christian Schlatter
>Sent: quarta-feira, 17 de outubro de 2007 20:27
>To: William Quan
>Cc: users at openser.org
>Subject: Re: [OpenSER-Users] sanitizing sip requests
>
>William Quan wrote:
>> Hi all,
>> I came across a security alert that basically embeds javascript in the
>> display name of the From to initiate cross-site-scripting (XSS) attacks.
>> Here is an example:
>>
>> From: "<script>alert('hack')</script>""user"
>> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-
>disclosure>>;tag=002a000c
>>
>>
>> Grammatically , I don't see an issue with this. However, under the right
>> circumstances this could get ugly.
>> Do you see value in having openser take a proactive role to detect these
>> and reject calls? Or is this outside the scope of what a proxy should
>> be doing (leave it to the UA to sanitize) ?
>
>I think it should be left to the UA. It would be very difficult to come
>up with good sanitizing rules, and they would get out of data very
>quickly. Maybe an openser sanitizer module that would download SIP
>attack signatures would make sense.
>
>/Christian
>
>
>>
>> Looking to get your thoughts-
>> -will
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list