[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] img src , cant get it!

From: "White, Dain P" <dainw@xxxxxxx>
Subject: RE: [WEB SECURITY] img src , cant get it!
Date: Wed, 3 Jan 2007 08:11:54 -0800

It doesn't sound like you're actually uploading the image file, it looks like you're making a tag reference to the file. If that is the case, you would probably be best served by testing the input and only allowing tags you approve of, with attributes you approve of. This is fairly tricky to do in a pure "whitelist" approach specifically for the example you provided. I would recommend a "greylist" where you approve only specific tags, then evaluate the attributes for those tags for Bad Strings. 
 
Here's some Bad Strings I would test for: 

script
&#115;&#99;&#114;&#105;&#112;&#116;
&#x73&#x63&#x72&#x69&#x70&#x74
&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116
#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116
#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74
#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;

While it's redundant, I always follow up this parse with a regex search for remaining tags with script.. In vbscript:

RegularExpression.Pattern = "<[a-zA-Z][^>]*\son\w+=(\w+|'[^']*'|""[^""]*"")[^>]*>"
RequestVariable = RegularExpression.Replace(RequestVariable,"")
 
If you're uploading an image and trying to test within the source of the image, I think you'd need to parse the binary stream when it is uploaded, before it is written to the server - I haven't ever tried this, but someone here probably has...

Good luck!
~Dain
 
Dain White, Web Coordinator
Office of Student Affairs
Washington State University
dainw@xxxxxxx * 1-509-335-6673


________________________________

From: Esteban Ribičić [mailto:kisero@xxxxxxxxx] 
Sent: Monday, January 01, 2007 7:46 AM
To: Web Security
Subject: [WEB SECURITY] img src , cant get it!


hi,
 
I'm testing some web app we have in our office which are about to be public. Users can upload images, i tried uploading an image with this content:
 
"<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>" 
 
expecting an XSS alert to be displayed...
 
if i request the image directly i get the alert("xss") ... but if the image is requested from the the "profile" page , which has the href link to the image, (where a href to the img exist) i get a 304 error... 
 
can anyone explain or give me a reference where i can understand what is wrong? 
 
i know its a very simple case, well, i guess I'm just on the initial learning path :-P
 
i wanted to test the input fields for tags like href, img, ', ", etc to see if the code is vulnerable to more xss input (permanent or not) ... can anyone recommend me an application? i was about to code something...but my laziness is killing me :) 
 
many thanks
have a great 2007
 

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: [WEB SECURITY] img src , cant get it!
Next by thread: [WEB SECURITY] img src , cant get it!
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site