[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Nice little XSS trick

From: Bil Corry <bil@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Tue, 15 Jul 2008 18:12:36 -0500

White, Dain P wrote on 7/15/2008 3:34 PM:

Normally (for me) this involves a whitelist of accepted tags, and a blacklist that scours the content for Bad Things, via regex. In my particular case, this XSS wouldn't work, because the vector isn't in my whitelist and would be removed - but not everyone uses this sort of hybrid "greylist" approach - they rely on a blacklist that is looking for "script" - and in that case, this sort of attack is certainly a Bad Thing.


You might be interested in this:

	<http://htmlpurifier.org/>

And this is a pretty good read on the topic:

	<http://www.gnucitizen.org/blog/bulletproof-rich-content-filters>

Personally, I avoid allowing users to submit HTML.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein
- RE: [WEB SECURITY] Nice little XSS trick
  - From: Gabriel Kälin
- RE: [WEB SECURITY] Nice little XSS trick
  - From: White, Dain P

Prev by Date: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by Date: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Previous by thread: RE: [WEB SECURITY] Nice little XSS trick
Next by thread: Re: [WEB SECURITY] Nice little XSS trick
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site