TITLE
    WebObjects: Preventing Security Holes with Dynamic Content
Article ID:
Created:
Modified: 		70146
2/4/00
3/6/00
TOPIC

    On February 2, 2000, the CERT® coordination center issued a security advisory entitled "CERT® Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests". The alert concerns web sites which generate dynamic content. This article discusses the impact of this advisory on web sites built with WebObjects.

DISCUSSION

    About Dynamic Content Security

    The problem described in the CERT® advisory concerns sites which generate dynamic content from user input; for example, web discussion boards and guestbooks. Attackers can embed tags in this input, such as SCRIPT or FORM tags, that can run scripts on a client's system or compromise the security of their information. This can cause security problems even if the page is only visible by the user who appears to have given the input; attackers can include poisoned URLs in email or newsgroup messages or on other web sites. In some cases, the attacks can be made persistent with cookies.

    This is a serious problem which all dynamic content providers need to be aware of. Apple recommends that all WebObjects developers read the original CERT® advisory, which can be found at:

    http://www.cert.org/advisories/CA-2000-02.html

    WebObjects and Dynamic Content

    By default, when an NSString is used to create a dynamic page, WebObjects escapes all special characters, including the "<" and ">" characters. For example, if a user input the following HTML code into a WebObjects application:

    Hello message board. This is a message.
    <SCRIPT>malicious code</SCRIPT>
    This is the end of my message.

    WebObjects, when dynamically building a page with this input, would generate:

    Hello message board. This is a message.
    &ltSCRIPT&rt;malicious code&lt/SCRIPT&rt
    This is the end of my message.

    This will prevent the malicious code from executing.

    However, WebObjects allows developers great flexibility, and some developers may have chosen to change this default behavior to allow users to enter valid HTML tags. If you have chosen to allow HTML tags in user input, your application will be vulnerable to this bug. In addition, static pages generated by your web server, such as the "404 Not Found" page, may be vulnerable to malicious tags. Contact your web server vendor for more information.


Document Information
Product Area: WebObjects
Category: WebObjects 1.x and 2.x; WebObjects 3.0 and 3.1; WebObjects 3.5.1; WebObjects 4; WebObjects 4.5
Sub Category: General Topics

Copyright © 2000 Apple Computer, Inc. All rights reserved.