[WEB SECURITY] XSS/injection/... evading technique

[Nick Gearls <nickgearls@xxxxxxxxx>]

Hello,

I was thinking about an evasion technique for command/SQL/SSI injection, 
XSS, etc., and I wonder how to avoid this.

The (known) problem: several languages accept comments in the middle of 
a command
Ex:
- MySQL & &SQL Server accept C-style comments: /* ... */
- Javascript accepts C++-style comments: // ...
- Perl, PHP accept # ...
- SQL Server accepts -- ...
- Coldfusion accepts <!-- ... -->
This allows to embed a comment in the middle of a multiple words command 
(sometimes, although not often, even in the middle of a word) to evade 
detection.

Let's use C-style comments as example.
If I want to block "foo bar", it can easily be evaded as  "foo /*...*/ bar".
We could remove comments; this is standard with most WAF; this solves 
the above problem, but it could in fact be worse !
What about the following line:
   a="/*"; here is a command that should be blocked; a="*/";
Because WAF and IDS use regex/string patterns and do not understand the 
real syntax, the complete command will be ignored.
Note that even a single word pattern will be evaded.
And we can obviously mix both:
   a="/*"; here is a command that /*...*/ should be blocked; a="*/";

Any idea on how to solve that at a WAF/IDS level ?
What mitigation technique could be used ?

Note that Coldfusion comments are also very difficult to remove, as this 
would also remove real HTML comments. This leaves the door open to a 
combination of Coldfusion and Javascript XSS attack.

Nick


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA