[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS/injection/... evading technique

From: Jon McClintock <jammer@xxxxxxxx>
Subject: Re: [WEB SECURITY] XSS/injection/... evading technique
Date: Thu, 24 Jul 2008 10:19:52 -0700

--e8znkWhb8vS+si4n
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Jul 24, 2008 at 10:14:32AM +0200, Nick Gearls wrote:
> Any idea on how to solve that at a WAF/IDS level ?
> What mitigation technique could be used ?

This is a challenging problem to solve, and you're not going to be able
to address it with any pattern-based engine. To do it properly, you need
to actually parse the input in the same manner that it will be consumed.
Further, you'd be best served by using the same parsing engine that your
application is using, otherwise you'll likely run into edge cases.

For XML data, this is straightforward, as most WAFs implement XML
validation, translation and filtering. For things like JavaScript or
(worse) ColdFusion, you're running far beyond the bounds of what a
WAF's parser can reasonably implement.

-Jon

--e8znkWhb8vS+si4n
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIiLm45IQfIX9WPEgRAjctAJwPCDlNms/JhTWjBYg4SDpbsWOCaACePhmL
L4jkljS8F5ENknfY6//3tX8=
=7by+
-----END PGP SIGNATURE-----

--e8znkWhb8vS+si4n--

Follow-Ups:
- Re: [WEB SECURITY] XSS/injection/... evading technique
  - From: Arian J. Evans

References:
- [WEB SECURITY] XSS/injection/... evading technique
  - From: Nick Gearls

Prev by Date: [WEB SECURITY] Administrative: Mail Server Issues
Next by Date: Re: [WEB SECURITY] Security testing
Previous by thread: [WEB SECURITY] XSS/injection/... evading technique
Next by thread: Re: [WEB SECURITY] XSS/injection/... evading technique
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site