Protecting your Customers from UXSS

Well, it already has a name - UXSS. One of the vulnerabilities uncovered at 23C3 - arbitrary XSS from PDF's. Universal Cross-site Scripting. And so it begins - another race to name a vulnerability.

But I digress. You can actually protect yourself here, without taking PDF's off your site. But it's not easy. It will take engineering and time.

You need to apply a level of indirection. In this case, your PDF's need to go into a non-web-accessible directory. Then you need to use a bit tunnel to transmit the PDF. Everybody's seen these before, and most of you have written them and use them elsewhere on your site. In simple terms, it just opens up a non-accessible file and transmits the bits.

With these, you need to make sure that the bit tunnel has a whitelist of what files it can open so that you don't allow directory traversal or arbitrary file download by altering the parameter. And you also need to apply transaction tokens here. Make sure to at least check the referrer, but preferably use a hidden form element with a token that is also in the session. The bit tunnel needs to check this transaction tunnel to ensure that the user got here from somewhere you know about.

So there's the fix. It's not easy, and it will take a couple of hours, unless you already use all those controls (bit tunnel, with a token check, and with a whitelist). It also makes it a bear to update your site. But your customers are worth the trouble, aren't they?