1. OpenStack Summit 2015, Tokyo Edition is over. I have a handful of ideas for follow up technical posts after I have time to get home and dig into them a little bit. But I want to get a few thoughts down on the conference as a whole while I’m sitting in my incredibly small room in Tokyo being too tired to go out on the town.
2. I'm reporting from the OpenStack Summit in Boston. There's one and a half days left in the summit, and it's been great so far. I'd like to draw attention to an OpenStack group which is near and dear to my heart, the Women of OpenStack. I am a female engineer, and have been working in the field of engineering for quite some time.

These days, almost every service we create has some form of webinterface, be it for administration, monitoring or for the corefunctionality of the service. These interfaces are becoming evermore complex and dynamic, and increasingly interactive. There isa risk however, when increasing interactivity of these web services,that we inadvertently allow a user to supply data which can corrupt,or disrupt the normal running of that service.

Openstack Summit free download - OpenStack Superuser Reader, Hard Disk Scrubber, Summit, and many more programs. OpenStack Summit Tokyo: Day Two. By Canonical on 29 October 2015 The keynote sessions that kicked off the second day of OpenStack Summit Tokyo continued the theme of containers, but got a little deeper into the business. OpenStack Summit Tokyo: Day Two. By Canonical on 29 October 2015. The keynote sessions that kicked off the second day of OpenStack Summit Tokyo continued the theme of containers, but got a little deeper into the business.

Cross-Site Scripting (XSS) is a class of vulnerability whereby an attackeris able to present active web content to a web service, which issubsequently echoed back to a user and executed by the browser.This content can be as seemingly benign as an embarrassing image ortext, or as malign as browser based exploits intended to steal andutilize the user’s web session, or even compromise the user’s web browserand take control of their client system.

There are three main classes of XSS issue: Persistent, Reflected andDOM-Based. Persistent XSS issues are those where user input is storedby the server, either in a database or server files, which is laterpresented to any user visiting the affected web page. Reflected XSSissues are those where user input in a request is immediatelyreflected to the user without sanitization.

DOM-Based issues are less common, and are present in web applicationswith rich client-side JavaScript clients which generate dynamic code or webcontent using user controllable data (i.e. URL parameters).

When developing web applications, we must be extremely careful toprotect against all these classes of issue. To do so, we must never trust anydata that originates from, or can be controlled by, the client. All datamust be sanitized in a way suitable for how that data is going to be used. Todo so, many languages provide built-in functionality to make sure anypotentially dangerous control characters are encoded in a way to render theminactive. The following is a PHP example of this.

Incorrect¶

The following is a contrived example of how a reflected XSS exploit mayoccur. If an attacker were to submit a request to‘http://example.com/?name=<script>alert(1)</script>’ then any user viewing thaturl would have the javascript executed within the context of their browser. This canbe used for malicious purposes.

Most modern Python web frameworks will escape any input that is renderedvia templates which mitigates the majority of these types of attacks.However there are ways that this can be disabled.

<!– by default flask will html escape var –><p>{{ var }}</p>

<!– in this instance it will not! –><p>{{ var | safe }}</p>

Correct¶

The correct way to prevent XSS attacks is to validate user input and ensurethat data rendered by templates is escaped. Using templates in the waythey are intended is preferable:

Any HTML content that is generated directly within a request handlershould use the appropriate escaping function:

Allowing certain special characters¶

Openstack Summit 2017

The issue is made more complex when we encounter situations where weneed to allow a specific set of special characters, such as the ability topost content containing HTML tags. In this situation we can either accept onlyknown good data, or we can deny all known bad data. Both approaches have pros andcons, with the specific choice of implementation being dependent on thegiven application. In general however, the following should be the list ofpriorities:

1. Encoding - Replace ALL control characters with known safealternatives

2. Positive validation (whitelist) - Only allow a specific set of values

3. Negative validation (blacklist) - Block a specified list of dangerousvalues

In cases where positive validation is used, it should also be coupledwith additional sanitization. For example, when allowing certain HTML tags,certain attributes of those tags should be removed, such as event handlers.e.g.:

Openstack Summit 2018

Again, the preferable approach is to only allow known safe attributes,and sanitize the content of those attribute values. If the content is notsanitized, the following vulnerable code could occur:

If the preceding JavaScript function is called with the link parametercontaining the following value, the function can be exploited to executearbitrary code:

A more secure implementation of the above would be:

Note, this is a very specific example for illustration. A morecomprehensive approach to sanitization should be taken for larger applications.

What Is Openstack

Consequences¶

• Hijack of legitimate user sessions

• Disclosure of sensitive information

• Access to privileged services and functionality

• Delivery of malware and browser exploits from our trusted domain

Openstack Summit Schedule