[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] xss filter to protect from xss attacks

From: anurag.agarwal@xxxxxxxxx
Subject: Re: [WEB SECURITY] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 12:21:45 -0800 (PST)
--0-453661281-1169583705=:22610
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dinis -=0A=0AThanks for your input. I know i am applying a blacklist filter=
 but in my experience i have seen many of the architects dont want to just =
look for the right characters. To them it limits their options. For example=
 if & is not in my whitelist of characters then customer cannot enter his c=
ompany name as A&A industries. So, as much as i favor not using blacklistin=
g approach, industry still wants it. The characters i am filtering cover mo=
st of the basis either individually or in combination.=0A=0ATo reply to you=
r code example -=0A=0A1. Normally in most of the sites you wouldnt allow an=
 external user to enter a url for your website.=0A2. Lets say if you allow =
the user to input a url, which is internal to a website, just filter "http:=
//" and replace it with "/".=0A3. If you want the user to input an external=
 url then filter for space in addition to the filter mentioned in the code(=
just a quick thought).=0A4. If you want spaces too in the url then you have=
 to develop your own filter.=0A=0AAs i mentioned before, the code i demonst=
rated is not for the websites(blogs, forums, etc) which require these speci=
al input characters but for those which doesn't and the majority of the web=
sites dont require these as an input=0A=0ACheers,=0A =0AAnurag Agarwal=0A =
=0ASEEC - An application security search engine=0AWeb: www.attacklabs.com ,=
 www.myappsecurity.com=0AEmail : anurag.agarwal@yahoo.com=0ABlog : http://m=
yappsecurity.blogspot.com=0A =0A=0A=0A=0A----- Original Message ----=0AFrom=
: Dinis Cruz <dinis@ddplus.net>=0ATo: Anurag Agarwal <anurag.agarwal@yahoo.=
com>=0ACc: WASC Forum <websecurity@webappsec.org>; "webappsec @OWASP" <weba=
ppsec@lists.owasp.org>; Andrew van der Stock <vanderaj@owasp.org>; Jeff Wil=
liams <jeff.williams@owasp.org>=0ASent: Tuesday, January 23, 2007 7:46:33 A=
M=0ASubject: Re: [WEB SECURITY] xss filter to protect from xss attacks=0A=
=0AThis is a good but dangerous effort, the problem is in this example is t=
hat Anurag is applying a blackList filter and is only protecting against on=
e case of xss. =0A=0AHere is the original code code:=0A=0A  String html =3D=
 request.getParameter("html");=0A  out.println("Here is the filtered output=
 of the html you submitted.");=0A  out.println(filterRequest(html)); =0A=0A=
And if I change it to:=0A=0AString html =3D "<a href=3D'" + filterRequest(r=
equest.getParameter("url")) + "'>XSS link</a>";=0Aout.println("Here is the =
filtered output of the html you submitted.");=0Aout.println(html);=0A=0Awhi=
ch is another example of using user input to create a link=0A=0Athe filter =
can be easily bypassed.=0A=0A1) normal request: http://127.0.0.1:8080/servl=
ets-examples/servlet/XSSFilter?url=3DnextServlet =0A=0A2) already a type of=
 XSS since this type of redirection should not be allowed: http://127.0.0.1=
:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com =0A=
=0A3) and here is an XSS 101 payload: http://127.0.0.1:8080/servlets-exampl=
es/servlet/XSSFilter?url=3DnextPage' onmouseover=3D'Javascript:alert(docume=
nt.cookie) =0A=0A4) or if you want to make sure the user cannot escape: htt=
p://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.goo=
gle.com' onmouseover=3D'Javascript:alert(document.cookie)" style=3D'display=
:block;position:absolute;left:0;right:0;width:100%25;height:100%25   (thx p=
dp)=0A=0A5) note that in example 4) above I could had used " in the payload=
 since your filter will convert " to '   : http://127.0.0.1:8080/servlets-e=
xamples/servlet/XSSFilter?url=3DnextPage" onmouseover=3D"Javascript:alert(d=
ocument.cookie)=0A=0A6) of course that in this case you could always just d=
o: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Djavascri=
pt:alert(document.cookie)  :)=0A=0A7) and even if you added ' to the filter=
 (which might be a problem since in some case you will need to accept it), =
it wouldn't cover for this case: String html =3D "<a href=3D" + filterReque=
st( request.getParameter("url")) + ">XSS link</a>";=0A=0A8) and lets not fo=
rget the XSS caused by double encoding or double decoding in the code=0A=0A=
I hope this shows how hard it is to properly mitigate against XSS and that =
in most cases white listing is the only safe option (and even in those case=
s XSS might occur). =0A=0AAnother solution that is very rarely talked is to=
 by default encode EVERYthing sent to out.println and force the developers =
to use strong-typed html classes to create HTML tags. =0A=0AIn the above ex=
ample your would change =0A=0A  String html =3D "<a href=3D'" + filterReque=
st(request.getParameter("url")) + "'>XSS link</a>";=0A  out.println(html);=
=0Afor=0A=0A  safeHtmlBuilder.a html =3D safeHtmlBuilder.a(request.getParam=
eter("html"), "XSS link")=0A  safeHtml.out(html);=0A=0AAssuming of course t=
hat safeHtmlBuilder.a(...) was built properly=0A=0AEven better than encodin=
g out.println would be to block the developer from invoking out.println dir=
ectly (which could be enforced via ('Shock Horror!!!') the Java security ma=
nager (or in Partial Trust in .Net)). =0A=0AWe would have a nice solution f=
or XSS (and this is a good example of what I was talking about a while back=
 on using Sandboxes to create environments where these types of vulnerabili=
ties are very hard to exists )=0A=0ADinis Cruz=0AChief OWASP Evangelist=0Ah=
ttp://www.owasp.org =0A=0A=0A=0AOn 1/23/07, Anurag Agarwal <anurag.agarwal@=
yahoo.com > wrote:=0AI have created a xss filter to protect from xss attack=
s. Though i have filtered only for 8 characters but i was able to test agai=
nst all the attacks mentioned in the RSnake's cheat sheet. Appscan was not =
able to detect any xss attacks on it. I request the application security co=
mmunity to help test this filter. 90% i am sure that you wont be able to pe=
rform any xss attack on it, the rest 10% i will find out after the feedback=
 from the community. For the curious mind, it is written in java =0A =0AIn =
case if you are successful in performing xss attack, please do reply to thi=
s email with your name, browser and the xss attack string.=0A =0Aurl - http=
://www.attacklabs.com/xssfilter/=0A =0AI appreciate your time and effort. T=
hanks a lot in advance=0A =0ACheers,=0A =0AAnurag Agarwal=0A =0ASEEC - An a=
pplication security search engine=0AWeb: www.attacklabs.com , www.myappsecu=
rity.com=0AEmail : anurag.agarwal@yahoo.com=0ABlog : http://myappsecurity.b=
logspot.com=0A =0A=0A=0A=0A--
--0-453661281-1169583705=:22610
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV></DIV>=0A<DIV>Dinis -</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Thanks for=
 your input. I know i am applying a blacklist filter but in my experience i=
 have seen many of the architects dont want to just look for the right char=
acters. To them it limits their options. For example if &amp;&nbsp;is not i=
n my whitelist of characters then&nbsp;customer cannot enter his&nbsp;compa=
ny name&nbsp;as A&amp;A industries. So, as much as i favor not using blackl=
isting approach, industry still wants it. The characters i am filtering cov=
er most of the basis either individually or in combination.</DIV>=0A<DIV>&n=
bsp;</DIV>=0A<DIV>To reply to your code example -</DIV>=0A<DIV>&nbsp;</DIV>=
=0A<DIV>1. Normally in most of the sites you wouldnt allow an external user=
 to enter a url for your website.<BR>2. Lets say if you&nbsp;allow the user=
 to input a url, which is internal to a website, just filter "http://"; and =
replace it with "/".<BR>3. If you want the user to input an external url th=
en filter for space in addition to the filter mentioned in the code(just a =
quick thought).<BR>4. If you want spaces too in the url then you have to de=
velop your own filter.</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>As i mentioned befo=
re, the code i demonstrated is not for the websites(blogs, forums, etc)&nbs=
p;which require these special input characters but for those which doesn't =
and the majority of the websites dont require these as an input<BR></DIV>=
=0A<P>Cheers,</P>=0A<P>&nbsp;</P>=0A<P>Anurag Agarwal</P>=0A<P>&nbsp;</P>=
=0A<P><A href=3D"http://www.myappsecurity.com/";>SEEC - An application secur=
ity search engine</A></P>=0A<P>Web:&nbsp;<A href=3D"http://www.attacklabs.c=
om/">www.attacklabs.com</A>&nbsp;, <A href=3D"http://www.myappsecurity.com/=
">www.myappsecurity.com</A></P>=0A<P>Email : <A href=3D"mailto:anurag.agarw=
al@yahoo.com">anurag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A href=3D"http:=
//myappsecurity.blogspot.com/">http://myappsecurity.blogspot.com</A></P>=0A=
<P>&nbsp;</P>=0A<DIV style=3D"FONT-SIZE: 10pt; FONT-FAMILY: arial, helvetic=
a, sans-serif"><BR><BR>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times=
 new roman, new york, times, serif">----- Original Message ----<BR>From: Di=
nis Cruz &lt;dinis@ddplus.net&gt;<BR>To: Anurag Agarwal &lt;anurag.agarwal@=
yahoo.com&gt;<BR>Cc: WASC Forum &lt;websecurity@webappsec.org&gt;; "webapps=
ec @OWASP" &lt;webappsec@lists.owasp.org&gt;; Andrew van der Stock &lt;vand=
eraj@owasp.org&gt;; Jeff Williams &lt;jeff.williams@owasp.org&gt;<BR>Sent: =
Tuesday, January 23, 2007 7:46:33 AM<BR>Subject: Re: [WEB SECURITY] xss fil=
ter to protect from xss attacks<BR><BR><SPAN class=3Dgmail_quote><SPAN clas=
s=3Dgmail_sendername></SPAN></SPAN><SPAN class=3Dgmail_quote><SPAN class=3D=
gmail_sendername>This is a good but dangerous effort, the problem is in thi=
s example is that </SPAN></SPAN><SPAN class=3Dgmail_quote><SPAN class=3Dgma=
il_sendername></SPAN></SPAN><SPAN class=3Dgmail_quote><SPAN class=3Dgmail_s=
endername>Anurag is </SPAN></SPAN><SPAN class=3Dgmail_quote><SPAN class=3Dg=
mail_sendername>applying a blackList filter and is only
 protecting against one case of xss. <BR><BR>Here is the original code code=
:<BR><BR></SPAN></SPAN>&nbsp; String html =3D request.getParameter("html");=
<BR>&nbsp; out.println("Here is the filtered output of the html you submitt=
ed.");<BR>&nbsp; out.println(filterRequest(html)); <BR><BR>And if I change =
it to:<BR><BR>String html =3D "&lt;a href=3D'" + filterRequest(request.getP=
arameter("url")) + "'&gt;XSS link&lt;/a&gt;";<BR>out.println("Here is the f=
iltered output of the html you submitted.");<BR>out.println(html);<BR><BR>w=
hich is another example of using user input to create a link<BR><BR>the fil=
ter can be easily bypassed.<BR><BR>1) normal request: <A  href=3D"http://12=
7.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3DnextServlet" target=
=3D_blank rel=3Dnofollow>http://127.0.0.1:8080/servlets-examples/servlet/XS=
SFilter?url=3DnextServlet</A> <BR><BR>2) already a type of XSS since this t=
ype of redirection should not be allowed: <A=20
 href=3D"http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dht=
tp://www.google.com" target=3D_blank rel=3Dnofollow>http://127.0.0.1:8080/s=
ervlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com </A><BR><BR>=
3) and here is an XSS 101 payload: <A  href=3D"http://127.0.0.1:8080/servle=
ts-examples/servlet/XSSFilter?url=3Dhttp://www.google.com%27%20onmouseover=
=3D%27Javascript:alert%28document.cookie%29" target=3D_blank rel=3Dnofollow=
>http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3DnextPage' =
onmouseover=3D'Javascript:alert(document.cookie) <BR></A><BR>4) or if you w=
ant to make sure the user cannot escape: <A  href=3D"http://127.0.0.1:8080/=
servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com%27"; target=
=3D_blank rel=3Dnofollow>http://127.0.0.1:8080/servlets-examples/servlet/XS=
SFilter?url=3Dhttp://www.google.com' </A>onmouseover=3D'Javascript:alert(do=
cument.cookie)" style=3D'display:block;position:absolute;left:0;right:0;wid=
th:100%25;height:100%25&nbsp;&nbsp; (thx
 pdp)<BR><BR>5) note that in example 4) above I could had used " in the pay=
load since your filter will convert " to '&nbsp;&nbsp; : <A  href=3D"http:/=
/127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google=
.com%27%20onmouseover=3D%27Javascript:alert%28document.cookie%29" target=3D=
_blank rel=3Dnofollow>http://127.0.0.1:8080/servlets-examples/servlet/XSSFi=
lter?url=3DnextPage" onmouseover=3D"Javascript:alert(document.cookie)<BR><B=
R></A>6) of course that in this case you could always just do: <A  href=3D"=
http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Djavascript:=
alert%28document.cookie%29" target=3D_blank rel=3Dnofollow>http://127.0.0.1=
:8080/servlets-examples/servlet/XSSFilter?url=3Djavascript:alert(document.c=
ookie)</A>&nbsp; :)<BR><BR>7) and even if you added ' to the filter (which =
might be a problem since in some case you will need to accept it), it would=
n't cover for this case: <SPAN>String html =3D "&lt;a href=3D" + filterRequ=
est( request.getParameter("url")) +
 "&gt;XSS link&lt;/a&gt;";<BR><BR>8) and lets not forget the XSS caused by =
double encoding or double decoding in the code<BR></SPAN><BR>I hope this sh=
ows how hard it is to properly mitigate against XSS and that in most cases =
white listing is the only safe option (and even in those cases XSS might oc=
cur). <BR><BR>Another solution that is very rarely talked is to by default =
encode EVERYthing sent to out.println and force the developers to use stron=
g-typed html classes to create HTML tags. <BR><BR>In the above example your=
 would change <BR><BR>&nbsp; String html =3D "&lt;a href=3D'" + filterReque=
st(request.getParameter("url")) + "'&gt;XSS link&lt;/a&gt;";<BR>&nbsp; out.=
println(html);<BR>for<BR><BR>&nbsp; safeHtmlBuilder.a html =3D safeHtmlBuil=
der.a(request.getParameter("html"), "XSS link")<BR>&nbsp; safeHtml.out(html=
);<BR><BR>Assuming of course that safeHtmlBuilder.a(...) was built properly=
<BR><BR>Even better than encoding out.println would be to <SPAN style=3D"FO=
NT-WEIGHT:
 bold">block the developer from invoking out.println directly</SPAN> (which=
 could be enforced via ('Shock Horror!!!') the Java security manager (or in=
 Partial Trust in .Net)). <BR><BR>We would have a nice solution for XSS (an=
d this is a good example of what I was talking about a while back on <SPAN =
style=3D"FONT-WEIGHT: bold">using Sandboxes to create environments where th=
ese types of vulnerabilities are very hard to exists </SPAN>)<BR><BR>Dinis =
Cruz<BR>Chief OWASP Evangelist<BR><A href=3D"http://www.owasp.org/"; target=
=3D_blank rel=3Dnofollow>http://www.owasp.org</A> <BR><BR><BR>=0A<DIV><SPAN=
 class=3Dgmail_quote>On 1/23/07, <B class=3Dgmail_sendername>Anurag Agarwal=
</B> &lt;<A href=3D"mailto:anurag.agarwal@yahoo.com"; target=3D_blank rel=3D=
nofollow>anurag.agarwal@yahoo.com </A>&gt; wrote:</SPAN>=0A<BLOCKQUOTE clas=
s=3Dgmail_quote style=3D"PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORD=
ER-LEFT: rgb(204,204,204) 1px solid">=0A<DIV>=0A<DIV style=3D"FONT-SIZE: 10=
pt; FONT-FAMILY: arial,helvetica,sans-serif">=0A<DIV></DIV>=0A<DIV>I have c=
reated&nbsp;a&nbsp;xss filter to&nbsp;protect from xss attacks. Though i ha=
ve filtered only for 8 characters but i was&nbsp;able to test against all t=
he attacks mentioned in the RSnake's cheat sheet.&nbsp;Appscan was not able=
 to detect any&nbsp;xss attacks on it. I request the application security c=
ommunity to help test this filter. 90% i am sure that you wont&nbsp;be able=
 to perform any xss attack on it, the rest 10% i will find out after the fe=
edback from the community. For the curious mind, it is written in java </DI=
V>=0A<DIV>&nbsp;</DIV>=0A<DIV>In case if you&nbsp;are successful in perform=
ing xss attack,&nbsp;please do&nbsp;reply to this email&nbsp;with your name=
, browser and the xss attack string.</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>url -=
 <A href=3D"http://www.attacklabs.com/xssfilter/"; target=3D_blank rel=3Dnof=
ollow>http://www.attacklabs.com/xssfilter/</A></DIV>=0A<DIV>&nbsp;</DIV>=0A=
<DIV>I appreciate your time and effort. Thanks a lot in advance<BR>&nbsp;</=
DIV>=0A<P>Cheers,</P>=0A<P>&nbsp;</P>=0A<P>Anurag Agarwal</P>=0A<P>&nbsp;</=
P>=0A<P><A href=3D"http://www.myappsecurity.com/"; target=3D_blank rel=3Dnof=
ollow>SEEC - An application security search engine</A></P>=0A<P>Web:&nbsp;<=
A href=3D"http://www.attacklabs.com/"; target=3D_blank rel=3Dnofollow>www.at=
tacklabs.com</A>&nbsp;, <A href=3D"http://www.myappsecurity.com/"; target=3D=
_blank rel=3Dnofollow>www.myappsecurity.com</A></P>=0A<P>Email : <A href=3D=
"mailto:anurag.agarwal@yahoo.com"; target=3D_blank rel=3Dnofollow>anurag.aga=
rwal@yahoo.com</A></P>=0A<P>Blog : <A href=3D"http://myappsecurity.blogspot=
.com/" target=3D_blank rel=3Dnofollow>http://myappsecurity.blogspot.com</A>=
</P>=0A<P>&nbsp;</P>=0A<DIV></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><BR cl=
ear=3Dall><BR>-- <BR><BR></DIV><BR></DIV></div></body></html>
--0-453661281-1169583705=:22610--
Follow-Ups:
- [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
  - From: celf
Prev by Date: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by Date: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
Previous by thread: Re: [WEB SECURITY] xss filter to protect from xss attacks
Next by thread: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site