[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Nice little XSS trick
- From: Gabriel Kälin <Gabriel.Kaelin@xxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Nice little XSS trick
- Date: Wed, 16 Jul 2008 09:17:42 +0200
Yeah, how would they? WAFs cannot decide whether a particular HTML or script sequence is injected or generated by the web application, unless they've detected that HTML sequence during request filtering, i.e. whitelist/blacklist filtering.
On the other hand and to stick to the current case, WAFs could well focus on the attack you described and prohibit BASE HREFs that point to an unknown site. In a more general sense, WAFs could scan reponses for XS-URLs and mark/remove/modify them. That's the best "output encoding" I can currently imagine application independent WAFs could do.
Gabe
> -----Original Message-----
> From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
> Sent: Wednesday, July 16, 2008 6:58 AM
> To: James Landis
> Cc: Gabriel Kälin; Web Security
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> James Landis wrote:
> > A good XSS filter DOES output encoding. :P
> >
> >
>
> WAFs don't, AFAIK.
>
> -Amit
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|