User:Navdeep Bagga/Proposal

Contact Information
Name: Navdeep Bagga Email Address: admin@navdeepbagga.com IRC Username: navdeep / navdeep_ Blog: http://navdeepbagga.com Location: Ludhiana, Punjab, India Timezone: GMT + 5:30

Project Title
Implement whitelist functionality in CSS Extension.

Project Mentor
Rusty Burchfield 

Project Description
Currently, CSS extension allow users to use their own custom CSS to be embedded into wiki pages. On client side, with help of CSS attributes, some malicious code can be injected, which we call XSS attack. To prevent from such attacks, a blacklist functionality is already implemented that block various XSS attacks. But the problem with blacklist functionality is that, it is quite fragile. We cannot block each and every XSS attack by blacklisting it, because our blacklist functionality fails when a new or unknown XSS attack occurs. A better problem solving approach would be implement a whitelist, which only allows the whitelisted CSS properties and values (with help of regular expressions).

I would prefer to use “MediaWikiPerformAction” or any other similar hook (as suggested). By doing so, we may able to do CSS caching in a better and efficient way, at the MediaWiki core. Another important thing here is, to minimize the use of JavaScript and getting most of the control on the back-end. Such approach will also help us in preventing ClickJacking.

Goal
Goal of this project is to replace the blacklist functionality with whitelist functionality to prevent XSS in the CSS extension. But it is incomplete without a good CSS parser, which is needed to be found out, and implement accordingly. Both of these (whitelist and CSS parser) will be combined as a standalone application, and later will be integrated into the CSS Extension.

Implementation
1. Find, review, and test various CSS parsers available. For example, https://github.com/sabberworm/PHP-CSS-Parser. http://www.phpclasses.org/package/1289-PHP-CSS-parser-class.html http://csstidy.sourceforge.net/ 2. Select a suitable CSS parser on the basis of time, available features and scope of customizability. 3. Implement a standalone CSS whitelist script with chosen CSS Parser. 4. Once approved by mentor, merge CSS parser into the CSS Extension. CSS will be loaded with help of mediawiki core hooks. For instance, “MediaWikiPerformAction” or similar. 5. Generalize the whitelist functionality so as to make it is easy to use with new rules and conditions in the whitelists. 6. Implement an additional whitelist feature that prevents UI redress attacks (also known as ClickJacking). In XSS attack, the hacker infects a web page with his malicious client-side script. When a user visits that web page the script is downloaded to user’s system and executed. Same is depicted in the diagram below.



Few examples:

Malicious CSS
This shows an example of XSS attack in css, exactly in the syntax of mediawiki’s ‘CSS Extension’.

Clickjacking
Example 1

It displays another “a” tag in the “a” tag, which holds the “pointer-events” property. The nested links ensures an alert window that will appear with the value “1” by clicking on the “XXX” link and thus the feature of “pointer-events” breaks. This example illustrates that “a” tags should not be used with the pointer-event logic which may lead to clickJacking. To solve this problem, whitelist will be very helpful because properties like position absolute will not be whitelisted so, they will be automatically discarded by the parser.

Example 2

In this example, user will try to follow some person, but a transparent button over the follow link works and does not let user to reach the actual link. X-Frame-Options ( also known as XFO ) can be used to defend this attack.

The best protection for XSS is a combination of "whitelist" validation of all incoming data and appropriate encoding of all output data. Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser.

Whitelist input validation
Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored.

Strong output encoding
Ensure that all user-supplied data is appropriately entity encoded before rendering, taking the approach to encode all characters other than a very limited subset. For example, ‘>’ is encoded as  Unless you want to close some tag.

Time Availability
I will be available 40 hours / week, if needed can spend more. No restriction of time.

About Me
I completed B.Tech in Computer Science & Engineering this year from Guru Nanak Dev Engineering College, Ludhiana, Punjab, India. Now I am doing freelancing in which I used to get hired on web development projects. My interests are mainly in Database Programming. I am a member of several Linux User Groups. Skills : HTML, CSS, JavaScript, PHP, MySQL and strong Object Oriented & MVC (Model View Controller) concepts. Various other technologies that I worked with are: APIs, LaTeX, LDAP, Git, DOxygen, Secure shell access (SSH), LimeSurvey, Kannel.

Why This Project
My reason to choose this project was due to my interests in CSS and PHP, apart from that I read old mails in the mailing list, where it was stated that this project is on high priority.

Why Me
I am intensely excited to work this year in OPW with Mediawiki. Excited to interact and work with Mediawiki developers on such real world project.

I prefer using open source softwares and products (as I am linux user), now its my time to contribute to open source projects. I think this is perfect time for me to engage in this activity to stand up my career in open source.

I am good in communication and have excellent problem solving skills. I have strong programming and scripting skills. I am blessed with great power of being dreamed about programs.

I have worked as a Linux server administrator from last 2 years. My common tasks were to maintain security. I have made automation scripts using bash shell. I am fluent in playing with Linux, managing and maintaining Apache/PHP configuration files and log files, cron jobs, and setting up SSH and the like.

As a User
I like mediawiki from the first day when I installed it. Its 5 step installation wonders me how good the installation guide is and how easy to install it. After when I chose CSS Extension as my project, I downloaded and installed it very smoothly.

As a Contributor
I became an IRC fan. As I am noob to mediawiki, my questions are answered very quickly which helps me a lot in solve bug and obviously patch submission process(gerrit). I easily understood the CSS Extension code by reading developer’s guide in which tutorials on how to develop Mediawiki extension and came to know about default files and functionality.

My Open Source Experience
I was assigned with following microtask ( by mentor ), in which I had to fix CSS of category tree according to the vector layout of sidebar.

Link to the bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=41859

Patch submitted to gerrit: https://gerrit.wikimedia.org/r/#/c/94099/

Personal Projects :

[1] I made this for my college faculty selection program. https://github.com/NavdeepBagga/Applicant-Form-For-Faculty-Member

[2] I also made an API during my training period at my college. https://github.com/NavdeepBagga/smsapi https://github.com/GreatDevelopers/suneha/tree/master/sunehaPlugin

I have also done work on these open source technologies viz. LimeSurvey, Kannel and DOxygen. Further, I am active on kannel and BRL-CAD mailing list.