[OpenSER-Users] sanitizing sip requests

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 18 09:47:52 CEST 2007



William Quan schrieb:
> Hi all,
> I came across a security alert that basically embeds javascript in the
> display name of the From to initiate cross-site-scripting (XSS) attacks.
> Here is an example:
> 
> From: "<script>alert('hack')</script>""user"
> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c

Thats a cool attack. I fear there will be more smart attacks in the next 
time.

klaus

> Grammatically , I don't see an issue with this. However, under the right
> circumstances this could get ugly.
> Do you see value in having openser take a proactive role to detect these
> and reject calls?  Or is this outside the scope of what a proxy should
> be doing (leave it to the UA to sanitize) ?
> 
> Looking to get your thoughts-
> -will
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users




More information about the sr-users mailing list