DOC: XSS in quicktour/views/views.py

[westurner]

http://docs.pylonsproject.org/projects/pyramid/en/latest/quick_tour.html#views

https://github.com/Pylons/pyramid/blob/master/docs/quick_tour/views/views.py#L17

As there is no templating layer to autoescape the user-supplied name parameter and the response is by default text/html, hello_view contains an XSS vulnerability.

Templating is not the focus of (this part of) the quick tour.

I can think of two approaches:

1. Use cgi.escape before doing string interpolation (`body % cgi.escape(name)').
2. Add a note about XSS and the value of utilizing a good templating engine with autoescape.

"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" http://cwe.mitre.org/data/definitions/79.html

[westurner]

http://docs.pylonsproject.org/projects/pyramid/en/latest/quick_tour.html#templating

[westurner]

There's also https://github.com/Pylons/pyramid/blob/master/docs/quick_tour/requests/app.py#L10 (which does specify content_type="text/plain").

[westurner]

(see #1181 about content_type defaulting to text/html)

[stevepiercy]

The primary purpose of the Quick Tour is to demonstrate how Pyramid works. Secondary topics, such as security—although important and required in web app development—are out of scope for the Quick Tour.

I am not sure whether pyramid_mako auto-escapes HTML, but it looks like it does. http://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-1.1.html?highlight=xss#deprecations-and-behavior-differences https://github.com/Pylons/pyramid/issues/193

What we really need is a good Pyramid Cookbook chapter on security, to which the Quick Tour could link for further information. XSS vulnerability prevention would be a good topic, and show how this specific security issue can be easily addressed in Pyramid. Would you please submit a PR with your suggested changes for review, as well as a Cookbook recipe?

[westurner]

Websec and Pyramid?

Maybe it'd be best to start with a few links:

• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• https://www.owasp.org/index.php/Top_10_2013-Top_10
• http://cwe.mitre.org/top25/

[stevepiercy]

Yes! I'm a big fan of OWASP.

One note, make sure that you distinguish Pyramid from its add-ons in your write-up.

[tseaver]

We should definitely be using 'cgi.escape(name)'; programmers are lazy, and copy-paste such errors without thinking.

[westurner]

Added cgi.escape.

I will also take a look at scoping a security doc based on CWE Top 25 / OWASP 2013 Top 10.