[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
- From: anurag.agarwal@xxxxxxxxx
- Subject: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
- Date: Tue, 23 Jan 2007 15:27:06 -0800 (PST)
--0-775074399-1169594826=:34260
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
celf -=0A=0AI think i did not convey my message properly. I was trying to d=
emonstrate a PoC for validating input on a regular website (which does not =
take html tags or urls, etc as input). Lets take an example of a regular e-=
commerce website. That website is vulnerable to XSS because it is not doing=
proper input validation. In my PoC I merely tried to demonstrate that a si=
mple filter like that could fix 9 out of 10 xss holes. Of course a website =
can add or delete to those filters mentioned in the code or change the repl=
acement character. =0A=0AI agree with you that html encoding during output =
is an additional check and will definitely help and i will add that approac=
h to this PoC too.=0A=0AThe other thing i want to mention here that i used =
blacklist filtering because in my discussion with a lot of architects, they=
are ok with filtering known bad characters (including encoded representati=
ons) but they do not want to eliminate unknown bad characters. Their argume=
nt is "Though this approach may possibly become vulnerable when a character=
not in this list can potentially be used maliciously but we dont want to c=
ompromise on functionality for a vulnerability which may not be identified =
for the next 5 years". To a certain extent i agree with them too.=0A=0A=0A =
=0ACheers,=0A =0AAnurag Agarwal=0A =0ASEEC - An application security search=
engine=0AWeb: www.attacklabs.com , www.myappsecurity.com=0AEmail : anurag.=
agarwal@yahoo.com=0ABlog : http://myappsecurity.blogspot.com=0A =0A=0A=0A=
=0A----- Original Message ----=0AFrom: celf <celf@cudge.org>=0ATo: WASC For=
um <websecurity@webappsec.org>; "webappsec @OWASP" <webappsec@lists.owasp.o=
rg>=0ASent: Tuesday, January 23, 2007 12:51:26 PM=0ASubject: Re: [Webappsec=
] [WEB SECURITY] xss filter to protect from xss attacks=0A=0A=0A[sorry for =
the double posting]=0A=0AAgain,=0A=0AThis is not a problem if you don't "st=
rip" or "filter" input. Just do it=0Aright on the way out. Now, I'd never r=
ecommend leaving out input=0Avalidation, but if you're just doing HTML outp=
ut, then HTML entity=0Aencoding will prevent XSS, and it's way easier than =
blacklist filtering,=0Awhich hoses the incoming data.=0A=0AA simple proof:=
=0A=0A<%=0A' stupid trivial asp example=0Adim strInput=0AstrInput=3Dserver.=
htmlencode(trim(request.form("in")))=0A%>=0A<html>=0A<form name=3D"f" actio=
n=3D"" method=3D"post">=0ATry to run script in this:<br> <textarea name=3D"=
in"=0Arows=3D"5"cols=3D"80"><%=3DstrInput%></textarea>=0A<br><input type=3D=
"submit">=0A</form>=0AYou entered: <%=3DstrInput%>=0A</html>=0A=0AThe examp=
le above does not account for a bunch of stuff. It is only to=0Ashow that e=
ven fundamental, built in HTML encoding will go a long way.=0AAnd, no input=
validation is used whatsoever. Again, not safe for all=0Acases, just an ex=
ample to illustrate a point that input "filtering" aka=0A"stripping charact=
ers" isn't the way to do output.=0A=0A-c=0A=0Aanurag.agarwal@yahoo.com wrot=
e:=0A> Dinis -=0A> =0A> Thanks for your input. I know i am applying a blac=
klist filter but in my=0A> experience i have seen many of the architects do=
nt want to just look for=0A> the right characters. To them it limits their =
options. For example if=0A> & is not in my whitelist of characters then cus=
tomer cannot enter=0A> his company name as A&A industries. So, as much as i=
favor not using=0A> blacklisting approach, industry still wants it. The ch=
aracters i am=0A> filtering cover most of the basis either individually or =
in combination.=0A> =0A> To reply to your code example -=0A> =0A> 1. Norm=
ally in most of the sites you wouldnt allow an external user to=0A> enter a=
url for your website.=0A> 2. Lets say if you allow the user to input a url=
, which is internal to a=0A> website, just filter "http://";; and replace it=
with "/".=0A> 3. If you want the user to input an external url then filter=
for space=0A> in addition to the filter mentioned in the code(just a quick=
thought).=0A> 4. If you want spaces too in the url then you have to develo=
p your own=0A> filter.=0A> =0A> As i mentioned before, the code i demonstr=
ated is not for the=0A> websites(blogs, forums, etc) which require these sp=
ecial input=0A> characters but for those which doesn't and the majority of =
the websites=0A> dont require these as an input=0A> =0A> Cheers,=0A> =0A> =
=0A> =0A> Anurag Agarwal=0A> =0A> =0A> =0A> SEEC - An application security=
search engine <http://www.myappsecurity.com/>=0A> =0A> Web: www.attacklabs=
.com <http://www.attacklabs.com/> ,=0A> www.myappsecurity.com <http://www.m=
yappsecurity.com/>=0A> =0A> Email : anurag.agarwal@yahoo.com <mailto:anurag=
.agarwal@yahoo.com>=0A> =0A> Blog : http://myappsecurity.blogspot.com=0A> <=
http://myappsecurity.blogspot.com/>=0A> =0A> =0A> =0A> =0A> =0A> ----- Ori=
ginal Message ----=0A> From: Dinis Cruz <dinis@ddplus.net>=0A> To: Anurag A=
garwal <anurag.agarwal@yahoo.com>=0A> Cc: WASC Forum <websecurity@webappsec=
.org>; "webappsec @OWASP"=0A> <webappsec@lists.owasp.org>; Andrew van der S=
tock <vanderaj@owasp.org>;=0A> Jeff Williams <jeff.williams@owasp.org>=0A> =
Sent: Tuesday, January 23, 2007 7:46:33 AM=0A> Subject: Re: [WEB SECURITY] =
xss filter to protect from xss attacks=0A> =0A> This is a good but dangerou=
s effort, the problem is in this example is=0A> that Anurag is applying a b=
lackList filter and is only protecting=0A> against one case of xss.=0A> =0A=
> Here is the original code code:=0A> =0A> String html =3D request.getPar=
ameter("html");=0A> out.println("Here is the filtered output of the html =
you submitted.");=0A> out.println(filterRequest(html));=0A> =0A> And if I=
change it to:=0A> =0A> String html =3D "<a href=3D'" + filterRequest(reque=
st.getParameter("url")) +=0A> "'>XSS link</a>";=0A> out.println("Here is th=
e filtered output of the html you submitted.");=0A> out.println(html);=0A> =
=0A> which is another example of using user input to create a link=0A> =0A>=
the filter can be easily bypassed.=0A> =0A> 1) normal request:=0A> http://=
127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3DnextServlet=0A> =
=0A> 2) already a type of XSS since this type of redirection should not be=
=0A> allowed:=0A> http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter=
?url=3Dhttp://www.google.com=0A> <http://127.0.0.1:8080/servlets-examples/s=
ervlet/XSSFilter?url=3Dhttp://www.google.com>=0A> =0A> 3) and here is an XS=
S 101 payload:=0A> http://127.0.0.1:8080/servlets-examples/servlet/XSSFilte=
r?url=3DnextPage'=0A> onmouseover=3D'Javascript:alert(document.cookie)=0A> =
<http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www=
.google.com%27%20onmouseover=3D%27Javascript:alert%28document.cookie%29>=0A=
> 4) or if you want to make sure the user cannot escape:=0A> http://127.0.0=
.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com'=0A=
> <http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://w=
ww.google.com%27>onmouseover=3D'Javascript:alert(document.cookie)";=0A> sty=
le=3D'display:block;position:absolute;left:0;right:0;width:100%25;height:10=
0%25 =0A> (thx pdp)=0A> =0A> 5) note that in example 4) above I could had =
used " in the payload since=0A> your filter will convert " to ' :=0A> htt=
p://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3DnextPage";=0A>=
onmouseover=3D"Javascript:alert(document.cookie)=0A> =0A> <http://127.0.0.=
1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com%27%2=
0onmouseover=3D%27Javascript:alert%28document.cookie%29>6)=0A> of course th=
at in this case you could always just do:=0A> http://127.0.0.1:8080/servlet=
s-examples/servlet/XSSFilter?url=3Djavascript:alert(document.cookie)=0A> <h=
ttp://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Djavascript:a=
lert%28document.cookie%29> =0A> :)=0A> =0A> 7) and even if you added ' to t=
he filter (which might be a problem since=0A> in some case you will need to=
accept it), it wouldn't cover for this=0A> case: String html =3D "<a href=
=3D" + filterRequest(=0A> request.getParameter("url")) + ">XSS link</a>";=
=0A> =0A> 8) and lets not forget the XSS caused by double encoding or doubl=
e=0A> decoding in the code=0A> =0A> I hope this shows how hard it is to pro=
perly mitigate against XSS and=0A> that in most cases white listing is the =
only safe option (and even in=0A> those cases XSS might occur).=0A> =0A> An=
other solution that is very rarely talked is to by default encode=0A> EVERY=
thing sent to out.println and force the developers to use=0A> strong-typed =
html classes to create HTML tags.=0A> =0A> In the above example your would =
change=0A> =0A> String html =3D "<a href=3D'" + filterRequest(request.get=
Parameter("url"))=0A> + "'>XSS link</a>";=0A> out.println(html);=0A> for=
=0A> =0A> safeHtmlBuilder.a html =3D=0A> safeHtmlBuilder.a(request.getPar=
ameter("html"), "XSS link")=0A> safeHtml.out(html);=0A> =0A> Assuming of =
course that safeHtmlBuilder.a(...) was built properly=0A> =0A> Even better =
than encoding out.println would be to block the developer=0A> from invoking=
out.println directly (which could be enforced via ('Shock=0A> Horror!!!') =
the Java security manager (or in Partial Trust in .Net)).=0A> =0A> We would=
have a nice solution for XSS (and this is a good example of=0A> what I was=
talking about a while back on using Sandboxes to create=0A> environments w=
here these types of vulnerabilities are very hard to exists )=0A> =0A> Dini=
s Cruz=0A> Chief OWASP Evangelist=0A> http://www.owasp.org <http://www.owas=
p.org/>=0A> =0A> =0A> On 1/23/07, *Anurag Agarwal* <anurag.agarwal@yahoo.co=
m=0A> <mailto:anurag.agarwal@yahoo.com>> wrote:=0A> =0A> I have created=
a xss filter to protect from xss attacks. Though i=0A> have filtered o=
nly for 8 characters but i was able to test against=0A> all the attacks=
mentioned in the RSnake's cheat sheet. Appscan was=0A> not able to det=
ect any xss attacks on it. I request the application=0A> security commu=
nity to help test this filter. 90% i am sure that you=0A> wont be able =
to perform any xss attack on it, the rest 10% i will=0A> find out after=
the feedback from the community. For the curious=0A> mind, it is writt=
en in java=0A> =0A> In case if you are successful in performing xs=
s attack, please=0A> do reply to this email with your name, browser and=
the xss attack=0A> string.=0A> =0A> url - http://www.attackla=
bs.com/xssfilter/=0A> =0A> I appreciate your time and effort. Than=
ks a lot in advance=0A> =0A> =0A> Cheers,=0A> =0A> =0A> =0A> =
Anurag Agarwal=0A> =0A> =0A> =0A> SEEC - An application securi=
ty search engine=0A> <http://www.myappsecurity.com/>=0A> =0A> Web: =
www.attacklabs.com <http://www.attacklabs.com/> ,=0A> www.myappsecurity=
.com <http://www.myappsecurity.com/>=0A> =0A> Email : anurag.agarwal@ya=
hoo.com <mailto:anurag.agarwal@yahoo.com>=0A> =0A> Blog : http://myapps=
ecurity.blogspot.com=0A> <http://myappsecurity.blogspot.com/>=0A> =0A> =
=0A> =0A> =0A> =0A> =0A> -- =0A> =0A> =0A> =0A> ----------------------=
--------------------------------------------------=0A> =0A> _______________=
________________________________=0A> Webappsec mailing list=0A> Webappsec@l=
ists.owasp.org=0A> http://lists.owasp.org/mailman/listinfo/webappsec=0A=0A_=
______________________________________________=0AWebappsec mailing list=0AW=
ebappsec@lists.owasp.org=0Ahttp://lists.owasp.org/mailman/listinfo/webappse=
c
--0-775074399-1169594826=:34260
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><P>celf -</P>=0A<P> </P>=0A<DIV></DIV>=0A<DIV>I think i did =
not convey my message properly. I was trying to demonstrate a PoC=
for validating input on a regular website (which does not&n=
bsp;take html tags or urls, etc as input). Lets take an example of a&n=
bsp;regular e-commerce website. That website is vulnerable to XSS =
;because it is not doing proper input validation. In my PoC I mer=
ely tried to demonstrate that a simple filter like that could fix=
9 out of 10 xss holes. Of course a website can add or delete to =
those filters mentioned in the code or change the replacement character. </=
DIV>=0A<DIV> </DIV>=0A<DIV>I agree with you that html encoding during =
output is an additional check and will definitely help and i will add that =
approach to this PoC too.</DIV>=0A<DIV> </DIV>=0A<DIV>The other thing =
i want to mention here that i used blacklist filtering because in my d=
iscussion with a lot of architects, they are ok with filtering known b=
ad characters (including encoded representations) but they do not want=
to eliminate unknown bad characters. Their argument is "Though this a=
pproach may possibly become vulnerable when a character not in this list ca=
n potentially be used maliciously but we dont want to compro=
mise on functionality for a vulnerability which may not be identified =
for the next 5 years". To a certain extent i agree with them too.</DIV>=0A<=
DIV> </DIV>=0A<DIV><BR> </DIV>=0A<P>Cheers,</P>=0A<P> </P>=
=0A<P>Anurag Agarwal</P>=0A<P> </P>=0A<P><A href=3D"http://www.myappse=
curity.com/">SEEC - An application security search engine</A></P>=0A<P>Web:=
<A href=3D"http://www.attacklabs.com/";>www.attacklabs.com</A> , =
<A href=3D"http://www.myappsecurity.com/";>www.myappsecurity.com</A></P>=0A<=
P>Email : <A href=3D"mailto:anurag.agarwal@yahoo.com";>anurag.agarwal@yahoo.=
com</A></P>=0A<P>Blog : <A href=3D"http://myappsecurity.blogspot.com/";>http=
://myappsecurity.blogspot.com</A></P>=0A<P> </P>=0A<DIV style=3D"FONT-=
SIZE: 10pt; FONT-FAMILY: arial, helvetica, sans-serif"><BR><BR>=0A<DIV styl=
e=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"=
>----- Original Message ----<BR>From: celf <celf@cudge.org><BR>To: WA=
SC Forum <websecurity@webappsec.org>; "webappsec @OWASP" <webappse=
c@lists.owasp.org><BR>Sent: Tuesday, January 23, 2007 12:51:26 PM<BR>Sub=
ject: Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks=
<BR><BR>=0A<DIV>[sorry for the double posting]<BR><BR>Again,<BR><BR>This is=
not a problem if you don't "strip" or "filter" input. Just do it<BR>right =
on the way out. Now, I'd never recommend leaving out input<BR>validation, b=
ut if you're just doing HTML output, then HTML entity<BR>encoding will prev=
ent XSS, and it's way easier than blacklist filtering,<BR>which hoses the i=
ncoming data.<BR><BR>A simple proof:<BR><BR><%<BR>' stupid trivial asp e=
xample<BR>dim strInput<BR>strInput=3Dserver.htmlencode(trim(request.form("i=
n")))<BR>%><BR><html><BR><form name=3D"f" action=3D"" method=3D=
"post"><BR>Try to run script in this:<br> <textarea name=3D"in"=
<BR>rows=3D"5"cols=3D"80"><%=3DstrInput%></textarea><BR><=
br><input type=3D"submit"><BR></form><BR>You entered: <%=
=3DstrInput%><BR></html><BR><BR>The example above does not account=
for a bunch of stuff. It is only to<BR>show that even fundamental, built i=
n HTML encoding will go a long way.<BR>And,
no input validation is used whatsoever. Again, not safe for all<BR>cases, =
just an example to illustrate a point that input "filtering" aka<BR>"stripp=
ing characters" isn't the way to do output.<BR><BR>-c<BR><BR>anurag.agarwal=
@yahoo.com wrote:<BR>> Dinis -<BR>> <BR>> Thanks for yo=
ur input. I know i am applying a blacklist filter but in my<BR>> experie=
nce i have seen many of the architects dont want to just look for<BR>> t=
he right characters. To them it limits their options. For example if<BR>>=
; & is not in my whitelist of characters then customer cannot enter<BR>=
> his company name as A&A industries. So, as much as i favor not usi=
ng<BR>> blacklisting approach, industry still wants it. The characters i=
am<BR>> filtering cover most of the basis either individually or in com=
bination.<BR>> <BR>> To reply to your code example -<BR>&g=
t; <BR>> 1. Normally in most of the sites you wouldnt allow a=
n external
user to<BR>> enter a url for your website.<BR>> 2. Lets say if you a=
llow the user to input a url, which is internal to a<BR>> website, just =
filter "<A href=3D'http://"/' target=3D_blank>http://";</A>; and replace it =
with "/".<BR>> 3. If you want the user to input an external url then fil=
ter for space<BR>> in addition to the filter mentioned in the code(just =
a quick thought).<BR>> 4. If you want spaces too in the url then you hav=
e to develop your own<BR>> filter.<BR>> <BR>> As i ment=
ioned before, the code i demonstrated is not for the<BR>> websites(blogs=
, forums, etc) which require these special input<BR>> characters but for=
those which doesn't and the majority of the websites<BR>> dont require =
these as an input<BR>> <BR>> Cheers,<BR>> <BR>> <BR>=
> <BR>> Anurag Agarwal<BR>> <BR>> <BR>> <BR>> =
SEEC - An application security search engine <<A href=3D"http://www.myap=
psecurity.com/"
target=3D_blank>http://www.myappsecurity.com/</A>><BR>> <BR>> Web=
: <A href=3D"http://www.attacklabs.com/"; target=3D_blank>www.attacklabs.com=
</A> <<A href=3D"http://www.attacklabs.com/"; target=3D_blank>http://www.=
attacklabs.com/</A>> ,<BR>> <A href=3D"http://www.myappsecurity.com/"=
target=3D_blank>www.myappsecurity.com</A> <<A href=3D"http://www.myapps=
ecurity.com/" target=3D_blank>http://www.myappsecurity.com/</A>><BR>>=
<BR>> Email : anurag.agarwal@yahoo.com <mailto:anurag.agarwal@yahoo.=
com><BR>> <BR>> Blog : <A href=3D"http://myappsecurity.blogspot.co=
m/" target=3D_blank>http://myappsecurity.blogspot.com</A><BR>> <<A hr=
ef=3D"http://myappsecurity.blogspot.com/"; target=3D_blank>http://myappsecur=
ity.blogspot.com/</A>><BR>> <BR>> <BR>> <BR>> <BR=
>> <BR>> ----- Original Message ----<BR>> From: Dinis Cruz <din=
is@ddplus.net><BR>> To: Anurag Agarwal <anurag.agarwal@yahoo.com&g=
t;<BR>> Cc: WASC Forum
<websecurity@webappsec.org>; "webappsec @OWASP"<BR>> <webappse=
c@lists.owasp.org>; Andrew van der Stock <vanderaj@owasp.org>;<BR>=
> Jeff Williams <jeff.williams@owasp.org><BR>> Sent: Tuesday, J=
anuary 23, 2007 7:46:33 AM<BR>> Subject: Re: [WEB SECURITY] xss filter t=
o protect from xss attacks<BR>> <BR>> This is a good but dangerous ef=
fort, the problem is in this example is<BR>> that Anurag is applying a b=
lackList filter and is only protecting<BR>> against one case of xss.<BR>=
> <BR>> Here is the original code code:<BR>> <BR>> =
String html =3D request.getParameter("html");<BR>> out.print=
ln("Here is the filtered output of the html you submitted.");<BR>> =
out.println(filterRequest(html));<BR>> <BR>> And if I change i=
t to:<BR>> <BR>> String html =3D "<a href=3D'" + filterRequest(req=
uest.getParameter("url")) +<BR>> "'>XSS link</a>";<BR>> out.=
println("Here is
the filtered output of the html you submitted.");<BR>> out.println(html=
);<BR>> <BR>> which is another example of using user input to create =
a link<BR>> <BR>> the filter can be easily bypassed.<BR>> <BR>>=
1) normal request:<BR>> <A href=3D"http://127.0.0.1:8080/servlets-examp=
les/servlet/XSSFilter?url=3DnextServlet" target=3D_blank>http://127.0.0.1:8=
080/servlets-examples/servlet/XSSFilter?url=3DnextServlet</A><BR>> <BR>&=
gt; 2) already a type of XSS since this type of redirection should not be<B=
R>> allowed:<BR>> <A href=3D"http://127.0.0.1:8080/servlets-examples/=
servlet/XSSFilter?url=3Dhttp://www.google.com"; target=3D_blank>http://127.0=
.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com</=
A><BR>> <<A href=3D"http://127.0.0.1:8080/servlets-examples/servlet/X=
SSFilter?url=3Dhttp://www.google.com"; target=3D_blank>http://127.0.0.1:8080=
/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com</A>><BR=
>> <BR>> 3) and here is an XSS
101 payload:<BR>> <A href=3D"http://127.0.0.1:8080/servlets-examples/se=
rvlet/XSSFilter?url=3DnextPage" target=3D_blank>http://127.0.0.1:8080/servl=
ets-examples/servlet/XSSFilter?url=3DnextPage</A>'<BR>> onmouseover=3D'J=
avascript:alert(document.cookie)<BR>> <<A href=3D"http://127.0.0.1:80=
80/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com%27%20onm=
ouseover=3D%27Javascript:alert%28document.cookie%29" target=3D_blank>http:/=
/127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google=
.com%27%20onmouseover=3D%27Javascript:alert%28document.cookie%29</A>><BR=
>> 4) or if you want to make sure the user cannot escape:<BR>> <A hre=
f=3D"http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp:/=
/www.google.com" target=3D_blank>http://127.0.0.1:8080/servlets-examples/se=
rvlet/XSSFilter?url=3Dhttp://www.google.com</A>'<BR>> <<A href=3D"htt=
p://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.goo=
gle.com%27>onmouseover=3D" target=3D_blank
Javascript:alert(document.cookie)"?>http://127.0.0.1:8080/servlets-exa=
mples/servlet/XSSFilter?url=3Dhttp://www.google.com%27>onmouseover=3D'Ja=
vascript:alert(document.cookie)"</A>;<BR>> style=3D'display:block;positi=
on:absolute;left:0;right:0;width:100%25;height:100%25 <BR>> (=
thx pdp)<BR>> <BR>> 5) note that in example 4) above I could had used=
" in the payload since<BR>> your filter will convert " to ' =
:<BR>> <A href=3D'http://127.0.0.1:8080/servlets-examples/servlet/XSSFi=
lter?url=3DnextPage"' target=3D_blank>http://127.0.0.1:8080/servlets-exampl=
es/servlet/XSSFilter?url=3DnextPage"</A>;<BR>> onmouseover=3D"Javascript=
:alert(document.cookie)<BR>> <BR>> <<A href=3D"http://127.0.0.1:80=
80/servlets-examples/servlet/XSSFilter?url=3Dhttp://www.google.com%27%20onm=
ouseover=3D%27Javascript:alert%28document.cookie%29>6"
target=3D_blank>http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?=
url=3Dhttp://www.google.com%27%20onmouseover=3D%27Javascript:alert%28docume=
nt.cookie%29>6</A>)<BR>> of course that in this case you could always=
just do:<BR>> <A href=3D"http://127.0.0.1:8080/servlets-examples/servle=
t/XSSFilter?url=3Djavascript:alert(document.cookie" target=3D_blank>http://=
127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=3Djavascript:alert(d=
ocument.cookie</A>)<BR>> <<A href=3D"http://127.0.0.1:8080/servlets-e=
xamples/servlet/XSSFilter?url=3Djavascript:alert%28document.cookie%29" targ=
et=3D_blank>http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=
=3Djavascript:alert%28document.cookie%29</A>> <BR>> :)<BR>> <BR>&g=
t; 7) and even if you added ' to the filter (which might be a problem since=
<BR>> in some case you will need to accept it), it wouldn't cover for th=
is<BR>> case: String html =3D "<a href=3D" + filterRequest(<BR>> r=
equest.getParameter("url")) + ">XSS
link</a>";<BR>> <BR>> 8) and lets not forget the XSS caused by=
double encoding or double<BR>> decoding in the code<BR>> <BR>> I =
hope this shows how hard it is to properly mitigate against XSS and<BR>>=
that in most cases white listing is the only safe option (and even in<BR>&=
gt; those cases XSS might occur).<BR>> <BR>> Another solution that is=
very rarely talked is to by default encode<BR>> EVERYthing sent to out.=
println and force the developers to use<BR>> strong-typed html classes t=
o create HTML tags.<BR>> <BR>> In the above example your would change=
<BR>> <BR>> String html =3D "<a href=3D'" + filterRequ=
est(request.getParameter("url"))<BR>> + "'>XSS link</a>";<BR>&g=
t; out.println(html);<BR>> for<BR>> <BR>> =
safeHtmlBuilder.a html =3D<BR>> safeHtmlBuilder.a(request.getParameter("=
html"), "XSS link")<BR>> safeHtml.out(html);<BR>> <BR>>=
; Assuming of
course that safeHtmlBuilder.a(...) was built properly<BR>> <BR>> Eve=
n better than encoding out.println would be to block the developer<BR>> =
from invoking out.println directly (which could be enforced via ('Shock<BR>=
> Horror!!!') the Java security manager (or in Partial Trust in .Net)).<=
BR>> <BR>> We would have a nice solution for XSS (and this is a good =
example of<BR>> what I was talking about a while back on using Sandboxes=
to create<BR>> environments where these types of vulnerabilities are ve=
ry hard to exists )<BR>> <BR>> Dinis Cruz<BR>> Chief OWASP Evangel=
ist<BR>> <A href=3D"http://www.owasp.org/"; target=3D_blank>http://www.ow=
asp.org</A> <<A href=3D"http://www.owasp.org/"; target=3D_blank>http://ww=
w.owasp.org/</A>><BR>> <BR>> <BR>> On 1/23/07, *Anurag Agarwal*=
<anurag.agarwal@yahoo.com<BR>> <mailto:anurag.agarwal@yahoo.com&g=
t;> wrote:<BR>> <BR>> I have created a xss=
filter to protect
from xss attacks. Though i<BR>> have filtered o=
nly for 8 characters but i was able to test against<BR>> &nbs=
p; all the attacks mentioned in the RSnake's cheat sheet. Appscan was=
<BR>> not able to detect any xss attacks on it. =
I request the application<BR>> security communit=
y to help test this filter. 90% i am sure that you<BR>>  =
; wont be able to perform any xss attack on it, the rest 10% i will<B=
R>> find out after the feedback from the communi=
ty. For the curious<BR>> mind, it is written in =
java<BR>> <BR>> &=
nbsp; In case if you are successful in performing xss attack, please<BR>>=
; do reply to this email with your name, browser an=
d the xss attack<BR>>
string.<BR>> <BR>> &nb=
sp; url - <A href=3D"http://www.attacklabs.com/xssfilter/"; target=3D_=
blank>http://www.attacklabs.com/xssfilter/</A><BR>> &nb=
sp; <BR>> I appreciate your time and =
effort. Thanks a lot in advance<BR>> =
<BR>> <BR>> Cheers,<BR>> <BR>> &nb=
sp; <BR>> <BR>> Anurag=
Agarwal<BR>> <BR>> <BR>> <BR>&=
gt; SEEC - An application security search engine<BR=
>> <<A href=3D"http://www.myappsecurity.com/"=
target=3D_blank>http://www.myappsecurity.com/</A>><BR>> <BR>>&nbs=
p; Web: <A href=3D"http://www.attacklabs.com/"; target=3D_=
blank>www.attacklabs.com</A> <<A href=3D"http://www.attacklabs.com/";
target=3D_blank>http://www.attacklabs.com/</A>> ,<BR>> &n=
bsp; <A href=3D"http://www.myappsecurity.com/"; target=3D_blank>www.my=
appsecurity.com</A> <<A href=3D"http://www.myappsecurity.com/"; target=3D=
_blank>http://www.myappsecurity.com/</A>><BR>> <BR>> &n=
bsp; Email : anurag.agarwal@yahoo.com <mailto:anurag.agarwal@yahoo=
.com><BR>> <BR>> Blog : <A href=3D"http://=
myappsecurity.blogspot.com/" target=3D_blank>http://myappsecurity.blogspot.=
com</A><BR>> <<A href=3D"http://myappsecurity=
.blogspot.com/" target=3D_blank>http://myappsecurity.blogspot.com/</A>><=
BR>> <BR>> <BR>> <BR>> <BR>&=
gt; <BR>> <BR>> -- <BR>> <BR>> <BR>> <BR>> --------------=
----------------------------------------------------------<BR>> <BR>>=
_______________________________________________<BR>> Webappsec mailing =
list<BR>>
Webappsec@lists.owasp.org<BR>> <A href=3D"http://lists.owasp.org/mailma=
n/listinfo/webappsec" target=3D_blank>http://lists.owasp.org/mailman/listin=
fo/webappsec</A><BR><BR>_______________________________________________<BR>=
Webappsec mailing list<BR>Webappsec@lists.owasp.org<BR><A href=3D"http://li=
sts.owasp.org/mailman/listinfo/webappsec" target=3D_blank>http://lists.owas=
p.org/mailman/listinfo/webappsec</A></DIV></DIV><BR></DIV></div></body></ht=
ml>
--0-775074399-1169594826=:34260--
Brought to you by http://www.webappsec.org
Search this site
|