[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Cross Site Scripting

From: "application.secure application.secure" <application.secure@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 20:41:39 +0200
------=_Part_29998_4152521.1190313699223
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Agree...
1. input validation
2. Output encoding if we have to accept malicious characters (that's a real
problem of web site social network - too large acceptable range of
characters)
3. Blacklist...

By experience, the advantage of blacklist is not protection against XSS (we
can bypass this kind of filter easily) BUT don't minimise the advantage of
blacklisting...
Blacklisting is a very powerfull detection system... Often hackers try
patterns before finding an issue...
We can expect that the blacklist can detect some issue.
You will be alerted  that you will be under attacks under a few days...

2007/9/20, Hoffman, Billy <billy.hoffman@hp.com>:
>
>  No no no no  NO!
>
>
>
> Sergii is describing black list input validation. This is **not** a good
> solution to securing a web application (though I suppose it is better than
> nothing at all). <img src=. onerror=alert('xss')> will bypass the filter for
> <script> and still allow code execution. And that's the problem with
> blacklists, they attempt to define everything that is bad. The problem is
> this list is very large and changes every time someone figures out a new way
> to do something bad. This is why magic quotes is not a defense against SQL
> injection because you can perform SQL injection without needing to use a
> single quote.
>
>
>
> Inputs in web application should be validated using white list input
> validation. For example, if an input is a US ZIP code, your web application
> should only accept inputs that are 5 digits long (or perhaps, 5 digits
> followed by a dash, followed by 4 digits)
>
>
>
> Recently I've been trying to think of a better way for the average Joe to
> understand Blacklists/whitelist. I used to talk about metal detectors at
> airports, and how they are a blacklist for metal. As soon as terrorists
> decide they can use ceramic knives, your metal detector stops working.
> Unfortuantely this analogy freaks people out, and I really don't have a good
> real-world equivalent for whitelist input validation. Do you just get naked
> at the airport? J
>
>
>
> Please stop advising people to use blacklist input validation.
>
>
>
> Billy Hoffman
>
> --
>
> Lead Researcher, HP Security Labs
>
> HP Software
>
> Phone: 678-781-4845
>   ------------------------------
>
> *From:* Sergii Khomenko [mailto:sergey.khomenko@gmail.com]
> *Sent:* Thursday, September 20, 2007 10:45 AM
> *To:* 'Mad Unix'; websecurity@webappsec.org
> *Subject:* RE: [WEB SECURITY] Cross Site Scripting
>
>
>
> To reduce the risk and to prevent such an attack on your website, all form
> information that is entered, should be checked for html code like this
> <script>script code goes here</script>. Basically, your website should not
> accept any script code from anyone on the web and especially storing the
> code in the db and then outputting it to somebody else.
>
>
>
> When you add validation for your input fields, you can run free web
> vulnarability scanners like www.acunetix.com to see if you still have the
> vulns.
>
>
>
> Hope this helps.
>
>
>
> Sergii Khomenko
>
>
>   ------------------------------
>
> *From:* Mad Unix [mailto:madunix@gmail.com]
> *Sent:* Thursday, September 20, 2007 10:53 AM
> *To:* websecurity@webappsec.org
> *Subject:* [WEB SECURITY] Cross Site Scripting
>
>
>
> Our security consulting compay he discoverd on our web server the
> following risk:
>
>
>
> Cross Site Scripting
> Risk: High
>
> Description of Vulnerability
>
> The Cross-Site Scripting attack is a privacy violation that allows an
> attacker to acquire a legitimate user's
> credentials and to impersonate that user when interacting with a specific
> website.
> The attack hinges on the fact that the web site contains a script that
> returns a user's input
> (usually a parameter value) in an HTML page, without first sanitizing the
> input.
> This allows an input consisting of JavaScript code to be executed by the
> browser when the script returns this input
> in the response page. As a result, it is possible to form links to the
> site where one of the parameters consists of malicious
>  JavaScript code. This code will be executed (by a user's browser) in the
> site context, granting
> it access to cookies that the user has for the site, and other windows in
> the site through the user's browser.
>
>
>
>
>
> --------------
>
> Can any one tell me more about this effect and how to observe and resolve
> this issue, since is be given as high risk.
>
> Thanks
>
>
>
> --
> madunix
>
> madunix@gmail.com
>

------=_Part_29998_4152521.1190313699223
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Agree... <br>1. input validation <br>2. Output encoding if we have to accept malicious characters (that&#39;s a real problem of web site social network - too large acceptable range of characters)<br>3. Blacklist...<br><br>
By experience, the advantage of blacklist is not protection against XSS (we can bypass this kind of filter easily) BUT don&#39;t minimise the advantage of blacklisting...<br>Blacklisting is a very powerfull detection system... Often hackers try patterns before finding an issue...
<br>We can expect that the blacklist can detect some issue.<br>You will be alerted&nbsp; that you will be under attacks under a few days... <br><br><div><span class="gmail_quote">2007/9/20, Hoffman, Billy &lt;<a href="mailto:billy.hoffman@hp.com";>
billy.hoffman@hp.com</a>&gt;:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">









<div link="blue" vlink="blue" lang="EN-US">

<div>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">No no no no &nbsp;NO!</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Sergii is describing black list input
validation. This is *<b><span style="font-weight: bold;">not</span></b>* a good
solution to securing a web application (though I suppose it is better than
nothing at all). &lt;img src=. onerror=alert('xss')&gt; will bypass
the filter for &lt;script&gt; and still allow code execution. And that's the
problem with blacklists, they attempt to define everything that is bad. The problem
is this list is very large and changes every time someone figures out a new way
to do something bad. This is why magic quotes is not a defense against SQL
injection because you can perform SQL injection without needing to use a single
quote.</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Inputs in web application should be validated
using white list input validation. For example, if an input is a US ZIP code,
your web application should only accept inputs that are 5 digits long (or
perhaps, 5 digits followed by a dash, followed by 4 digits)</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Recently I've been trying to think
of a better way for the average Joe to understand Blacklists/whitelist. I used
to talk about metal detectors at airports, and how they are a blacklist for
metal. As soon as terrorists decide they can use ceramic knives, your metal
detector stops working. Unfortuantely this analogy freaks people out, and I
really don't have a good real-world equivalent for whitelist input
validation. Do you just get naked at the airport? </span></font><font color="navy" face="Wingdings" size="2"><span style="font-size: 10pt; font-family: Wingdings; color: navy;">J</span></font><font color="navy" face="Arial" size="2">
<span style="font-size: 10pt; font-family: Arial; color: navy;"></span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<div>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Please stop advising people to use
blacklist input validation. </span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Billy Hoffman</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">--</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Lead Researcher, HP Security Labs</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">HP Software</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Phone: 678-781-4845</span></font></p>

</div>

<div>

<div style="text-align: center;" align="center"><font face="Times New Roman" size="3"><span style="font-size: 12pt;">

<hr align="center" size="2" width="100%">

</span></font></div>

<p><b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma;"> Sergii Khomenko
[mailto:<a href="mailto:sergey.khomenko@gmail.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">sergey.khomenko@gmail.com</a>] <br>
<b><span style="font-weight: bold;">Sent:</span></b> Thursday, September 20, 2007
10:45 AM<br>
<b><span style="font-weight: bold;">To:</span></b> &#39;Mad Unix&#39;;
<a href="mailto:websecurity@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">websecurity@webappsec.org</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> RE: [WEB SECURITY] Cross
Site Scripting</span></font></p>

</div><div><span class="e" id="q_115242fe72aebd2a_1">

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">To reduce the risk and to prevent such an
attack on your website, all form information that is entered, should be checked
for html code like this &lt;script&gt;script code goes here&lt;/script&gt;.
Basically, your website should not accept any script code from anyone on the
web and especially storing the code in the db and then outputting it to
somebody else.</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">When you add validation for your input
fields, you can run free web vulnarability scanners like <a href="http://www.acunetix.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.acunetix.com</a> to see if you still have
the vulns.</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Hope this helps.</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">Sergii Khomenko</span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">

<div>

<div style="text-align: center;" align="center"><font face="Times New Roman" size="3"><span style="font-size: 12pt;">

<hr align="center" size="2" width="100%">

</span></font></div>

<p><b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma;"> Mad Unix
[mailto:<a href="mailto:madunix@gmail.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">madunix@gmail.com</a>] <br>
<b><span style="font-weight: bold;">Sent:</span></b> Thursday, September 20, 2007
10:53 AM<br>
<b><span style="font-weight: bold;">To:</span></b> <a href="mailto:websecurity@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">websecurity@webappsec.org</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> [WEB SECURITY] Cross Site
Scripting</span></font></p>

</div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">&nbsp;</span></font></p>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">Our&nbsp;security consulting compay he discoverd on
our web server the following risk:</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">&nbsp;</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">Cross Site Scripting <br>
Risk: High</span></font></p>

</div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">Description
of Vulnerability</span></font></p>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">The
Cross-Site Scripting attack is a privacy violation that allows an attacker to
acquire a legitimate user&#39;s <br>
credentials and to impersonate that user when interacting with a specific
website. <br>
The attack hinges on the fact that the web site contains a script that returns
a user&#39;s input <br>
(usually a parameter value) in an HTML page, without first sanitizing the
input. <br>
This allows an input consisting of JavaScript code to be executed by the
browser when the script returns this input <br>
in the response page. As a result, it is possible to form links to the site
where one of the parameters consists of malicious <br>
&nbsp;JavaScript code. This code will be executed (by a user&#39;s browser) in the
site context, granting <br>
it access to cookies that the user has for the site, and other windows in the
site through the user&#39;s browser. </span></font></p>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">&nbsp;</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">&nbsp;</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">--------------</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">Can any one tell me more about this effect and how to
observe and resolve this issue, since is be given as high risk.</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU">Thanks</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU"><br clear="all">
<br>
-- <br>
madunix</span></font></p>

</div>

<div>

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="RU"><a href="mailto:madunix@gmail.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">madunix@gmail.com</a>&nbsp;</span></font>
</p>

</div>

</div>

</span></div></div>

</div>


</blockquote></div><br>

------=_Part_29998_4152521.1190313699223--
Follow-Ups:
- Re: [WEB SECURITY] Cross Site Scripting
  - From: Francois Larouche
References:
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Sergii Khomenko
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Hoffman, Billy
Prev by Date: RE: [WEB SECURITY] Cross Site Scripting
Next by Date: RE: [WEB SECURITY] Cross Site Scripting
Previous by thread: RE: [WEB SECURITY] Cross Site Scripting
Next by thread: Re: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site