[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] xss filter to protect from xss attacks

From: "Dinis Cruz" <dinis@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 15:46:33 +0000
------=_Part_200371_2520013.1169567193020
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

This is a good but dangerous effort, the problem is in this example is
that Anurag
is applying a blackList filter and is only protecting against one case of
xss.

Here is the original code code:

  String html = request.getParameter("html");
  out.println("Here is the filtered output of the html you submitted.");
  out.println(filterRequest(html));

And if I change it to:

String html = "<a href='" + filterRequest(request.getParameter("url")) +
"'>XSS link</a>";
out.println("Here is the filtered output of the html you submitted.");
out.println(html);

which is another example of using user input to create a link

the filter can be easily bypassed.

1) normal request:
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextServlet

2) already a type of XSS since this type of redirection should not be
allowed: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com


3) and here is an XSS 101 payload:
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage'
onmouseover='Javascript:alert(document.cookie)
<http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27%20onmouseover=%27Javascript:alert%28document.cookie%29>
4) or if you want to make sure the user cannot escape:
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com'
<http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27>onmouseover='Javascript:alert(
document.cookie)"
style='display:block;position:absolute;left:0;right:0;width:100%25;height:100%25
(thx pdp)

5) note that in example 4) above I could had used " in the payload since
your filter will convert " to '   :
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage";
onmouseover="Javascript:alert(document.cookie)

<http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27%20onmouseover=%27Javascript:alert%28document.cookie%29>6)
of course that in this case you could always just do:
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=javascript:alert(document.cookie)<http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=javascript:alert%28document.cookie%29>
:)

7) and even if you added ' to the filter (which might be a problem since in
some case you will need to accept it), it wouldn't cover for this case: String
html = "<a href=" + filterRequest( request.getParameter("url")) + ">XSS
link</a>";

8) and lets not forget the XSS caused by double encoding or double decoding
in the code

I hope this shows how hard it is to properly mitigate against XSS and that
in most cases white listing is the only safe option (and even in those cases
XSS might occur).

Another solution that is very rarely talked is to by default encode
EVERYthing sent to out.println and force the developers to use strong-typed
html classes to create HTML tags.

In the above example your would change

  String html = "<a href='" + filterRequest(request.getParameter("url")) +
"'>XSS link</a>";
  out.println(html);
for

  safeHtmlBuilder.a html = safeHtmlBuilder.a(request.getParameter("html"),
"XSS link")
  safeHtml.out(html);

Assuming of course that safeHtmlBuilder.a(...) was built properly

Even better than encoding out.println would be to block the developer from
invoking out.println directly (which could be enforced via ('Shock
Horror!!!') the Java security manager (or in Partial Trust in .Net)).

We would have a nice solution for XSS (and this is a good example of what I
was talking about a while back on using Sandboxes to create environments
where these types of vulnerabilities are very hard to exists )

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org


On 1/23/07, Anurag Agarwal <anurag.agarwal@yahoo.com> wrote:
>
>  I have created a xss filter to protect from xss attacks. Though i have
> filtered only for 8 characters but i was able to test against all the
> attacks mentioned in the RSnake's cheat sheet. Appscan was not able to
> detect any xss attacks on it. I request the application security community
> to help test this filter. 90% i am sure that you wont be able to perform any
> xss attack on it, the rest 10% i will find out after the feedback from the
> community. For the curious mind, it is written in java
>
> In case if you are successful in performing xss attack, please do reply to
> this email with your name, browser and the xss attack string.
>
> url - http://www.attacklabs.com/xssfilter/
>
> I appreciate your time and effort. Thanks a lot in advance
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine<http://www.myappsecurity.com/>
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal@yahoo.com
>
> Blog : http://myappsecurity.blogspot.com
>
>
>



--

------=_Part_200371_2520013.1169567193020
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<span class="gmail_quote"><span class="gmail_sendername"></span></span><span class="gmail_quote"><span class="gmail_sendername">This is a good but dangerous effort, the problem is in this example is that </span></span><span class="gmail_quote">

<span class="gmail_sendername"></span></span><span class="gmail_quote"><span class="gmail_sendername">Anurag is </span></span><span class="gmail_quote"><span class="gmail_sendername">applying a blackList filter and is only protecting against one case of xss.
<br><br>Here is the original code code:<br><br></span></span>&nbsp; String html = request.getParameter(&quot;html&quot;);<br>&nbsp; out.println(&quot;Here is the filtered output of the html you submitted.&quot;);<br>&nbsp; out.println(filterRequest(html));
<br><br>And if I change it to:<br><br>String html = &quot;&lt;a href=&#39;&quot; + filterRequest(request.getParameter(&quot;url&quot;)) + 
&quot;&#39;&gt;XSS link&lt;/a&gt;&quot;;<br>out.println(&quot;Here is the filtered output of the 
html you submitted.&quot;);<br>out.println(html);<br><br>which is another example of using user input to create a link<br><br>the filter can be easily bypassed.<br><br>1) normal request: <a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextServlet"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextServlet</a> 
<br><br>2) already a type of XSS since this type of redirection should not be allowed: <a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com
</a><br><br>3) and here is an XSS 101 payload: <a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27%20onmouseover=%27Javascript:alert%28document.cookie%29"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage&#39; onmouseover=&#39;Javascript:alert(document.cookie)
<br></a><br>4) or if you want to make sure the user cannot escape: <a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com&#39;
</a>    
onmouseover=&#39;Javascript:alert(document.cookie)&quot; 
style=&#39;display:block;position:absolute;left:0;right:0;width:100%25;height:100%25&nbsp;&nbsp; (thx pdp)<br><br>5) note that in example 4) above I could had used &quot; in the payload since your filter will convert &quot; to &#39;&nbsp;&nbsp; : 
<a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com%27%20onmouseover=%27Javascript:alert%28document.cookie%29"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage&quot;
onmouseover=&quot;Javascript:alert(document.cookie)<br><br></a>6) of course that in this case you could always just do: <a href="http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=javascript:alert%28document.cookie%29"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=javascript:alert(document.cookie)</a>&nbsp; 
:)<br><br>7) and even if you added &#39; to the filter (which might be a problem since in some case you will need to accept it), it wouldn&#39;t cover for this case: <span>String html = &quot;&lt;a href=&quot; + filterRequest(
request.getParameter(&quot;url&quot;)) + &quot;&gt;XSS link&lt;/a&gt;&quot;;<br><br>8) and lets not forget the XSS caused by double encoding or double decoding in the code<br></span><br>I hope this shows how hard it is to properly mitigate against XSS and that in most cases white listing is the only safe option (and even in those cases XSS might occur).
<br><br>Another solution that is very rarely talked is to by default encode EVERYthing sent to out.println and force the developers to use strong-typed html classes to create HTML tags. <br><br>In the above example your would change
<br><br>&nbsp; String html = &quot;&lt;a href=&#39;&quot; + filterRequest(request.getParameter(&quot;url&quot;)) + 
&quot;&#39;&gt;XSS link&lt;/a&gt;&quot;;<br>&nbsp; out.println(html);<br>for<br><br>&nbsp; safeHtmlBuilder.a html = safeHtmlBuilder.a(request.getParameter(&quot;html&quot;), &quot;XSS link&quot;)<br>&nbsp; safeHtml.out(html);<br><br>Assuming of course that 
safeHtmlBuilder.a(...) was built properly<br><br>Even better than encoding out.println would be to <span style="font-weight: bold;">block the developer from invoking out.println directly</span> (which could be enforced via (&#39;Shock Horror!!!&#39;) the Java security manager (or in Partial Trust in .Net)).
<br><br>We would have a nice solution for XSS (and this is a good example of what I was talking about a while back on <span style="font-weight: bold;">using Sandboxes to create environments where these types of vulnerabilities are very hard to exists
</span>)<br><br>Dinis Cruz<br>Chief OWASP Evangelist<br><a href="http://www.owasp.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.owasp.org</a>
<br><br><br><div><span class="gmail_quote">On 1/23/07, <b class="gmail_sendername">Anurag Agarwal</b> &lt;<a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><div></div>
<div>I have created&nbsp;a&nbsp;xss filter to&nbsp;protect from xss attacks. Though i have filtered only for 8 characters but i was&nbsp;able to test against all the attacks mentioned in the RSnake&#39;s cheat sheet.&nbsp;Appscan was not able to detect any&nbsp;xss attacks on it. I request the application security community to help test this filter. 90% i am sure that you wont&nbsp;be able to perform any xss attack on it, the rest 10% i will find out after the feedback from the community. For the curious mind, it is written in java
</div>
<div>&nbsp;</div>
<div>In case if you&nbsp;are successful in performing xss attack,&nbsp;please do&nbsp;reply to this email&nbsp;with your name, browser and the xss attack string.</div>
<div>&nbsp;</div>
<div>url - <a href="http://www.attacklabs.com/xssfilter/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.attacklabs.com/xssfilter/</a></div>
<div>&nbsp;</div>
<div>I appreciate your time and effort. Thanks a lot in advance<br>&nbsp;</div>
<p>Cheers,</p>
<p>&nbsp;</p>
<p>Anurag Agarwal</p>
<p>&nbsp;</p>
<p><a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">SEEC - An application security search engine</a></p>
<p>Web:&nbsp;<a href="http://www.attacklabs.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.attacklabs.com</a>&nbsp;, <a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

www.myappsecurity.com</a></p>
<p>Email : <a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com</a></p>
<p>Blog : <a href="http://myappsecurity.blogspot.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://myappsecurity.blogspot.com</a></p>
<p>&nbsp;</p>
<div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><br>


------=_Part_200371_2520013.1169567193020--
Follow-Ups:
- Re: [WEB SECURITY] xss filter to protect from xss attacks
  - From: Andrew van der Stock
References:
- [WEB SECURITY] xss filter to protect from xss attacks
  - From: Anurag Agarwal
Prev by Date: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Previous by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Next by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site