Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

["Ryan Barnett" <rcbarnett@xxxxxxxxx>]

------=_Part_211568_24989608.1169566829525
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

The Java source code is on a linked page -
http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html
.

-Ryan


On 1/23/07, Amit Klein <aksecurity@gmail.com> wrote:
>
> Anurag Agarwal wrote:
> > I have created a xss filter to protect from xss attacks. Though i have
> > filtered only for 8 characters but i was able to test against all the
> > attacks mentioned in the RSnake's cheat sheet. Appscan was not able to
> > detect any xss attacks on it. I request the application security
> > community to help test this filter. 90% i am sure that you wont be
> > able to perform any xss attack on it, the rest 10% i will find out
> > after the feedback from the community. For the curious mind, it is
> > written in java
> If this is an open source project - then where is the source code? if
> it's not - then why should we bother testing it?
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
Ryan C. Barnett
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

------=_Part_211568_24989608.1169566829525
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>The Java source code is on a linked page - <a href="http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html";>http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html
</a>.</div>
<div>&nbsp;</div>
<div>-Ryan<br><br>&nbsp;</div>
<div><span class="gmail_quote">On 1/23/07, <b class="gmail_sendername">Amit Klein</b> &lt;<a href="mailto:aksecurity@gmail.com";>aksecurity@gmail.com</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Anurag Agarwal wrote:<br>&gt; I have created a xss filter to protect from xss attacks. Though i have<br>&gt; filtered only for 8 characters but i was able to test against all the
<br>&gt; attacks mentioned in the RSnake&#39;s cheat sheet. Appscan was not able to<br>&gt; detect any xss attacks on it. I request the application security<br>&gt; community to help test this filter. 90% i am sure that you wont be
<br>&gt; able to perform any xss attack on it, the rest 10% i will find out<br>&gt; after the feedback from the community. For the curious mind, it is<br>&gt; written in java<br>If this is an open source project - then where is the source code? if
<br>it&#39;s not - then why should we bother testing it?<br><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>
http://www.webappsec.org/lists/websecurity/</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br><br clear="all"><br>-- <br>Ryan C. Barnett<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member
<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache 

------=_Part_211568_24989608.1169566829525--