[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] xss filter to protect from xss attacks

From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
Subject: Re: [WEB SECURITY] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 09:30:19 -0500

------=_Part_33158_7667021.1169562619749
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Anurag,

I see that you are swallowing *potentially* malicious characters here. The
stress on the word potentially is because there might be occasions in a real
world web application where I might need to allow a user to enter characters
that your filter thinks are malicious but have a legitimate semantic in the
context of that web application.

For example, you filter out < and >. Great! But what if the user has to
express something like "I strongly believe that 10 < 11 and that ';' can be
a good terminator for statements." ?

What would make more sense is to echo these chars back with proper encoding?

Prasad.

On 1/23/07, Anurag Agarwal <anurag.agarwal@yahoo.com> wrote:
>
> I have created a xss filter to protect from xss attacks. Though i have
> filtered only for 8 characters but i was able to test against all the
> attacks mentioned in the RSnake's cheat sheet. Appscan was not able to
> detect any xss attacks on it. I request the application security community
> to help test this filter. 90% i am sure that you wont be able to perform any
> xss attack on it, the rest 10% i will find out after the feedback from the
> community. For the curious mind, it is written in java
>
> In case if you are successful in performing xss attack, please do reply to
> this email with your name, browser and the xss attack string.
>
> url - http://www.attacklabs.com/xssfilter/
>
> I appreciate your time and effort. Thanks a lot in advance
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine<http://www.myappsecurity.com/>
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal@yahoo.com
>
> Blog : http://myappsecurity.blogspot.com
>
>
>
>

------=_Part_33158_7667021.1169562619749
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Anurag,<br><br>I see that you are swallowing *potentially* malicious characters here. The stress on the word potentially is because there might be occasions in a real world web application where I might need to allow a user to enter characters that your filter thinks are malicious but have a legitimate semantic in the context of that web application.
<br><br>For example, you filter out &lt; and &gt;. Great! But what if the user has to express something like &quot;I strongly believe that 10 &lt; 11 and that &#39;;&#39; can be a good terminator for statements.&quot; ? <br>
<br>What would make more sense is to echo these chars back with proper encoding?<br><br>Prasad.<br><br><div><span class="gmail_quote">On 1/23/07, <b class="gmail_sendername">Anurag Agarwal</b> &lt;<a href="mailto:anurag.agarwal@yahoo.com";>
anurag.agarwal@yahoo.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">
<div></div>
<div>I have created&nbsp;a&nbsp;xss filter to&nbsp;protect from xss attacks. Though i have filtered only for 8 characters but i was&nbsp;able to test against all the attacks mentioned in the RSnake&#39;s cheat sheet.&nbsp;Appscan was not able to detect any&nbsp;xss attacks on it. I request the application security community to help test this filter. 90% i am sure that you wont&nbsp;be able to perform any xss attack on it, the rest 10% i will find out after the feedback from the community. For the curious mind, it is written in java
</div>
<div>&nbsp;</div>
<div>In case if you&nbsp;are successful in performing xss attack,&nbsp;please do&nbsp;reply to this email&nbsp;with your name, browser and the xss attack string.</div>
<div>&nbsp;</div>
<div>url - <a href="http://www.attacklabs.com/xssfilter/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.attacklabs.com/xssfilter/</a></div>
<div>&nbsp;</div>
<div>I appreciate your time and effort. Thanks a lot in advance<br>&nbsp;</div>
<p>Cheers,</p>
<p>&nbsp;</p>
<p>Anurag Agarwal</p>
<p>&nbsp;</p>
<p><a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">SEEC - An application security search engine</a></p>
<p>Web:&nbsp;<a href="http://www.attacklabs.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.attacklabs.com</a>&nbsp;, <a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
www.myappsecurity.com</a></p>
<p>Email : <a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com</a></p>
<p>Blog : <a href="http://myappsecurity.blogspot.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://myappsecurity.blogspot.com</a></p>
<p>&nbsp;</p>
<div><br></div></div></div>
</blockquote></div>

------=_Part_33158_7667021.1169562619749--

References:
- [WEB SECURITY] xss filter to protect from xss attacks
  - From: Anurag Agarwal

Prev by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Previous by thread: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site