[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

From: anurag.agarwal@xxxxxxxxx
Subject: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 02:25:12 -0800 (PST)

--0-1031366928-1169547912=:2256
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The source code is uploaded to the page. You can either view it at http://m=
yappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.ht=
ml or download the java file at http://www.attacklabs.com/xssfilter/XSSFilt=
er.java=0A=0AThe url to test this filter is http://www.attacklabs.com/xssfi=
lter/=0A =0ACheers,=0A =0AAnurag Agarwal=0A =0ASEEC - An application securi=
ty search engine=0AWeb: www.attacklabs.com , www.myappsecurity.com=0AEmail =
: anurag.agarwal@yahoo.com=0ABlog : http://myappsecurity.blogspot.com=0A =
=0A=0A=0A=0A----- Original Message ----=0AFrom: Amit Klein <aksecurity@gmai=
l.com>=0ATo: Anurag Agarwal <anurag.agarwal@yahoo.com>=0ACc: WASC Forum <we=
bsecurity@webappsec.org>; "webappsec @OWASP" <webappsec@lists.owasp.org>=0A=
Sent: Monday, January 22, 2007 11:50:06 PM=0ASubject: Re: [Webappsec] xss f=
ilter to protect from xss attacks=0A=0A=0AAnurag Agarwal wrote:=0A> I have =
created a xss filter to protect from xss attacks. Though i have =0A> filter=
ed only for 8 characters but i was able to test against all the =0A> attack=
s mentioned in the RSnake's cheat sheet. Appscan was not able to =0A> detec=
t any xss attacks on it. I request the application security =0A> community =
to help test this filter. 90% i am sure that you wont be =0A> able to perfo=
rm any xss attack on it, the rest 10% i will find out =0A> after the feedba=
ck from the community. For the curious mind, it is =0A> written in java=0AI=
f this is an open source project - then where is the source code? if =0Ait'=
s not - then why should we bother testing it?
--0-1031366928-1169547912=:2256
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV></DIV>=0A<DIV>The source code is uploaded to the page. You can ei=
ther view it at&nbsp;<A href=3D"http://myappsecurity.blogspot.com/2007/01/x=
ss-filter-to-protect-from-xss-attacks.html">http://myappsecurity.blogspot.c=
om/2007/01/xss-filter-to-protect-from-xss-attacks.html</A>&nbsp;or download=
 the java file at&nbsp;<A href=3D"http://www.attacklabs.com/xssfilter/XSSFi=
lter.java">http://www.attacklabs.com/xssfilter/XSSFilter.java</A></DIV>=0A<=
DIV>&nbsp;</DIV>=0A<DIV>The&nbsp;url to test this filter is <A href=3D"http=
://www.attacklabs.com/xssfilter/">http://www.attacklabs.com/xssfilter/</A><=
BR>&nbsp;</DIV>=0A<P>Cheers,</P>=0A<P>&nbsp;</P>=0A<P>Anurag Agarwal</P>=0A=
<P>&nbsp;</P>=0A<P><A href=3D"http://www.myappsecurity.com/";>SEEC - An appl=
ication security search engine</A></P>=0A<P>Web:&nbsp;<A href=3D"http://www=
.attacklabs.com/">www.attacklabs.com</A>&nbsp;, <A href=3D"http://www.myapp=
security.com/">www.myappsecurity.com</A></P>=0A<P>Email : <A href=3D"mailto=
:anurag.agarwal@yahoo.com">anurag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A =
href=3D"http://myappsecurity.blogspot.com/";>http://myappsecurity.blogspot.c=
om</A></P>=0A<P>&nbsp;</P>=0A<DIV style=3D"FONT-SIZE: 10pt; FONT-FAMILY: ar=
ial, helvetica, sans-serif"><BR><BR>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-=
FAMILY: times new roman, new york, times, serif">----- Original Message ---=
-<BR>From: Amit Klein &lt;aksecurity@gmail.com&gt;<BR>To: Anurag Agarwal &l=
t;anurag.agarwal@yahoo.com&gt;<BR>Cc: WASC Forum &lt;websecurity@webappsec.=
org&gt;; "webappsec @OWASP" &lt;webappsec@lists.owasp.org&gt;<BR>Sent: Mond=
ay, January 22, 2007 11:50:06 PM<BR>Subject: Re: [Webappsec] xss filter to =
protect from xss attacks<BR><BR>=0A<DIV>Anurag Agarwal wrote:<BR>&gt; I hav=
e created a xss filter to protect from xss attacks. Though i have <BR>&gt; =
filtered only for 8 characters but i was able to test against all the <BR>&=
gt; attacks mentioned in the RSnake's cheat sheet. Appscan was not able to =
<BR>&gt; detect any xss attacks on it. I request the application security <=
BR>&gt; community to help test this filter. 90% i am sure that you wont be =
<BR>&gt; able to perform any xss attack on it, the rest 10% i will find out=
 <BR>&gt; after the feedback from the community. For the curious mind, it i=
s <BR>&gt; written in java<BR>If this is an open source project - then wher=
e is the source code? if <BR>it's not - then why should we bother testing i=
t?</DIV></DIV><BR></DIV></div></body></html>
--0-1031366928-1169547912=:2256--

Follow-Ups:
- [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
  - From: Stephen de Vries
- [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
  - From: celf

Prev by Date: Re: [WEB SECURITY] xss filter to protect from xss attacks
Next by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Previous by thread: [WEB SECURITY] xss filter to protect from xss attacks
Next by thread: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site