[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] xss filter to protect from xss attacks

From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 17:21:59 +0000

Ok, I posted this on Dinis Cruz blog but I guess it might be useful
here as well.

XSS is an attack vector that is very hard to mitigate. Why? Well,
different applications have different requirements that involve
different problems. Some problems can be grouped and solved with a
single solution. Others can't! You need to write custom solutions for
them.

Also, be aware that the currently developed XSS filters protect the
client by sanitizing the input sent to the server. That's very good,
however, I've seen many applications that do pretty good job on the
server side but they fail to perform that well on the client side. I
am talking about DOM based XSS. If your JavaScript code makes use of
cookies, queries, fragment identifiers or other type of input without
sanitizing it, attackers can abuse it in order to execute malicious
code on the browser.

Althought that was not very popular in the past, today with the raise
of AJAX applications, it is normal. Serverside XSS filters don't work
here. This is the client side.

On 1/23/07, Andrew van der Stock <vanderaj@xxxxxxxxx> wrote:


 I have a PHP anti-XSS library in development which encodes all but the
characters A-Z, a-z, 0-9, and space. It is multi-byte aware. For
convenience, it uses the same API interfaces as Microsoft Anti-XSS 1.5
library (which I heartily recommend to all .NET developers). My version is
initially implemented in just PHP. I might have to make it into a PHP
extension to regain speed. But first and foremost, correct then fast. The
API is most likely going to be (statics may be lost in the long run):

 class AntiXSS {    public function __construct()    {    }    public static
function HTMLEncode($o)
    {    }        public static function HTMLDecode($i)    {            }
    public static function HtmlAttributeEncode($o)
    {            }        public static function UrlEncode($o)
     {            }        public static function JavaScriptEncode($o)
    {            }        public static function XmlEncode($o)
     {            }        public static function XmlAttributeEncode($o)
     {            }
 }

 In addition, I have completed a basic anti-CSRF class, which will defeat
some but not all forced browsing attacks.

 /*
  * Usage: * * require_once('owasp.csrfguard.php'); * $cg = new csrfGuard();
* * In your HTML form, use this to get a hidden field: * * echo $cg; * * If
you want the two values as an array, say if you * want to put or store it
elsewhere, do this: * * $myArray =
$cg->getToken(csrfGuard::RAWFORM); * * Before processing
the resulting submission, do this: * * try * { *    $cg->isValid();
  * ... Your app's code goes here ... * } * catch (TokenException $e) * { *
    // handle exception * }
  */

 These will be up on the OWASP web site soon; sooner with some help! :)

 Thanks,
 Andrew

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] xss filter to protect from xss attacks
  - From: Dinis Cruz
- Re: [WEB SECURITY] xss filter to protect from xss attacks
  - From: Andrew van der Stock

Prev by Date: Re: [WEB SECURITY] xss filter to protect from xss attacks
Next by Date: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Previous by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Next by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site