User:Navdeep Bagga/Proposal

Contact Information
Name: Navdeep Bagga Email Address: admin@navdeepbagga.com IRC Username: navdeep / navdeep_ Blog: http://navdeepbagga.com Location: Ludhiana, Punjab, India Timezone: GMT + 5:30

Project Title
Implement whitelist functionality in CSS Extension.

Project Mentor
Rusty Burchfield 

Project Description
Currently CSS extension allow users to use their own custom CSS to be embedded into wiki pages. On client side, with help of CSS attributes, some malicious code can be injected, which we call XSS attack. To prevent from such XSS, there is already implemented a blacklist functionality which block various XSS attacks. Problem with blacklist functionality is that, it is quite fragile. We cannot block each and every XSS attack by blacklisting it, because our blacklist functionality fails when a new/unknown XSS attack is done. A better problem solving approach will be implementing a whitelist, which only allows the CSS properties and values (with help of regular expressions) which are whitelisted.

I would prefer to use “MediaWikiPerformAction” or any other similar hook (as suggested). By doing so, we may able to do CSS caching in a better and efficient way, at the mediawiki core. Another important thing here is, to minimize the use of JavaScript and getting most of the control on the back-end. Such approach will also help us in preventing ClickJacking.

Goal
Goal of this project is to replace the blacklist functionality with whitelist functionality to prevent XSS in the CSS extension. Goal of this project is incomplete without a good css parser, which I will find, and use it accordingly. These both parts will be combined as a standalone application, and later will be integrated into the CSS Extension.

Implementation
1. Find, review, and test various CSS parsers available. For example, https://github.com/sabberworm/PHP-CSS-Parser. 2. Select a suitable CSS parser on the basis of time, available features and customizability. 3. Implement a standalone CSS XSS whitelist script with selected CSS Parser. 4. Once approved by mentor, implement the whitelist functionality into CSS Parser. 5. Merge CSS parser into the CSS Extension, and replace blacklist functionality with whitelist functionality. 6. CSS will be loaded with help of mediawiki core hooks. For instance, “MediaWikiPerformAction” or similar. 7. Generalize the whitelist functionality so it is easy to use with new rules/conditions in the whitelists. 8. Implement an additional whitelist feature that prevents UI redress attacks (also known as ClickJacking). In XSS attack, the hacker infects a web page with his malicious client-side script. When a user visits that web page the script is downloaded to his browser and executed. Same is depicted in the diagram below.



A few examples:

Malicious CSS
At this point user privacy is also very important apart from preventing XSS, we should have whitelist to allow sources from specific sites and block all other. By doing this we will protect user’s data like IP, cookies etc.

Clickjacking
Example 1

  XXX    XXX 

It displays another “a” tag in the “a” tag, which holds the “pointer-events” property. The nested links ensures an alert window will appear with the value “1” by clicking on the “XXX” link and thus the feature of “pointer-events” breaks. This example illustrates that “a” tags should not be used with the pointer-event logic which may lead to clickJacking.

Example 2

iframe { width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=50); /* in real life opacity=0 */ opacity:0.5; }   Click on the link to follow me:  CLICK ME!

In this example, user will try to follow some person, but a transparent button over the follow link works and does not let user to reach the actual link.

The best protection for XSS is a combination of "whitelist" validation of all incoming data and appropriate encoding of all output data. Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser.

Whitelist input validation
Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored.

Strong output encoding
Ensure that all user-supplied data is appropriately entity encoded before rendering, taking the approach to encode all characters other than a very limited subset. For example, ‘>’ is encoded as &gt; Unless you want to close some tag.

Delivery Schedule
10 Dec - 19 Dec Find, review and test various CSS parsers available. Get know about their capability and to find how they can fit in our project.

20 Dec - 31 Dec Search and implement a standalone CSS whitelist script with CSS Parser.

1 Jan - 3 Jan Test a standalone application with respect to different cases.

4 Jan - 24 Jan Understand the working of CSS Extension, Merge CSS Parser into the CSS Extension.

25 Jan - 31 Jan Test, improve and simplify the code.

1 Feb - 6 Feb Generalize the whitelist functionality so it is easy to use with new rules/conditions in the whitelists.

7 Feb - 18 Feb Implement an additional whitelist script that prevents UI redress attacks.

19 Feb -28 Feb Finding and fixing bugs (Along with various test XSS attempts).

1 Mar - 10 Mar Start documentation (using LaTeX or any other tool recommended) including developers documentation and user’s documentation.

Time Availability:
I will be available 40 hours / week, if needed can spend more. No restriction of time.

About Me
I completed B.Tech in Computer Science & Engineering this year from Guru Nanak Dev Engineering College, Ludhiana, Punjab, India. Now I am doing freelancing in which I used to get hired on web development projects. My interests are mainly in Database Programming. I am a member of several Linux User Groups. Skills : HTML, CSS, JavaScript, PHP, MySQL and strong Object Oriented & MVC (Model View Controller) concepts. Various other technologies that I worked with are: APIs, LaTeX, LDAP, Git, DOxygen, Secure shell access (SSH), LimeSurvey, Kannel.

Why This Project
My reason to choose this project was due to my interests in CSS and PHP, apart from that I read old mails in the mailing list, where it was stated that this project is on high priority.

Why Me
I am intensely excited to work this year in OPW with Mediawiki. Excited to interact and work with Mediawiki developers on such real world project.

I prefer using open source softwares and products (as I am linux user), now its my time to contribute to open source projects. I think this is perfect time for me to engage in this activity to stand up my career in open source.

I am good in communication and have excellent problem solving skills. I have strong programming and scripting skills. I am blessed with great power of being dreamed about programs.

I have worked as a Linux server administrator from last 2 years. My common tasks were to maintain security. I have made automating scripts by using bash scripting. I am fluent in playing with Linux, managing and maintaining Apache/PHP configuration files and log files, cron jobs, and setting up SSH and the like.

As a User
I like mediawiki from the first day when I installed it. Its 5 step installation wonders me how good the installation guide is and how easy to install it. After when I chose CSS Extension as my project, I downloaded and installed it very smoothly.

As a Contributor
I became an IRC fan. As I am noob to mediawiki, my questions are answered very quickly which helps me a lot in solve bug and obviously patch submission process(gerrit). I easily understood the CSS Extension code by reading developer’s guide in which tutorials on how to develop Mediawiki extension and came to know about default files and functionality.

My Open Source Experience
I have worked on several open source projects but they all were initiated by me and released under GPL. Few of them are :

[1] I made this for my college faculty selection program. https://github.com/NavdeepBagga/Applicant-Form-For-Faculty-Member

[2] I also made an API during my training period at my college. https://github.com/NavdeepBagga/smsapi https://github.com/GreatDevelopers/suneha/tree/master/sunehaPlugin

Now I became involved with the wikimedia world as a contributor. My first patch has been submitted to the mediawiki and is accepted.

My mentor assigned me following microtask.

The bug which I have fixed. https://bugzilla.wikimedia.org/show_bug.cgi?id=41859

Patch submitted to gerrit. https://gerrit.wikimedia.org/r/#/c/94099/

I have done work on these open source projects, LimeSurvey, Kannel, DOxygen. Also, I am active on kannel and BRL-CAD mailing list.