Re: [WEB SECURITY] XSS/injection/... evading technique

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

These are valid filter-evasion techniques. Many of us already use these today.

Rsnake put some notes about this related to .NET filter evasions
somewhere on his site.


On Thu, Jul 24, 2008 at 10:19 AM, Jon McClintock <jammer@xxxxxxxx> wrote:
> On Thu, Jul 24, 2008 at 10:14:32AM +0200, Nick Gearls wrote:
>> Any idea on how to solve that at a WAF/IDS level ?
>> What mitigation technique could be used ?
>
> This is a challenging problem to solve, and you're not going to be able
> to address it with any pattern-based engine. To do it properly, you need
> to actually parse the input in the same manner that it will be consumed.


Why? Please support this contention.

I see a p@/**<!-->**/attern here. Or two. Or three.


> Further, you'd be best served by using the same parsing engine that your
> application is using, otherwise you'll likely run into edge cases.


Why? We do not need to successfully execute the code or interpret it
to block it.


> For XML data, this is straightforward, as most WAFs implement XML
> validation, translation and filtering. For things like JavaScript or
> (worse) ColdFusion, you're running far beyond the bounds of what a
> WAF's parser can reasonably implement.


Why?

And how is ColdFusion worse than Javascript in terms of WAF-able
issues? You lost me on that last bit.

Do you mean in terms of server-side code execution?

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA