[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS/injection/... evading technique

From: Jon McClintock <jammer@xxxxxxxx>
Subject: Re: [WEB SECURITY] XSS/injection/... evading technique
Date: Thu, 24 Jul 2008 13:59:27 -0700

--kXdP64Ggrk/fb43R
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 24, 2008 at 01:35:02PM -0700, Arian J. Evans wrote:
> On Thu, Jul 24, 2008 at 10:19 AM, Jon McClintock <jammer@weak.org> wrote:
> > This is a challenging problem to solve, and you're not going to be able
> > to address it with any pattern-based engine. To do it properly, you need
> > to actually parse the input in the same manner that it will be consumed.
>=20
> Why? Please support this contention.
>=20
> I see a p@/**<!-->**/attern here. Or two. Or three.

Nesting, linearity, unintended consequences. One consumer's perfectly
valid string is dangerous and unsafe in another.

  output=3D"sc/*";benign=3Dtrue;foo=3D"*/ript";

Your WAF doesn't know all of the contexts the data will be used in. If=20
you blindly remove all things that look like comments in all
environments, you're going to break a lot of cases where something that=20
looks like a comment is a valid input.=20

  message=3D"Meet me@noon"

The dumber and more broad-reaching a WAF filter is, the more likely it
is to cause problems with false positives, and subsequently be turned
off.

> > Further, you'd be best served by using the same parsing engine that your
> > application is using, otherwise you'll likely run into edge cases.
>=20
> Why? We do not need to successfully execute the code or interpret it
> to block it.

You don't need to execute it, but you certainly need to parse it to
determine what will actually be interpreted as a comment and what=20
won't.

> > For XML data, this is straightforward, as most WAFs implement XML
> > validation, translation and filtering. For things like JavaScript or
> > (worse) ColdFusion, you're running far beyond the bounds of what a
> > WAF's parser can reasonably implement.
>=20
> Why?
>=20
> And how is ColdFusion worse than Javascript in terms of WAF-able
> issues? You lost me on that last bit.

ColdFusion comments are identical to HTML comments. Which are often
legitimate (for example, they're used to wrap JSON objects).

-Jon

--kXdP64Ggrk/fb43R
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIiO0v5IQfIX9WPEgRArfwAJ99ru3eYPcPe6cdz12Dli1vXaEkXgCfRl+h
c8AYvkGhPNYFKp4E3nS7Ouk=
=VXS0
-----END PGP SIGNATURE-----

--kXdP64Ggrk/fb43R--

Follow-Ups:
- Re: [WEB SECURITY] XSS/injection/... evading technique
  - From: Arian J. Evans
- RE: [WEB SECURITY] XSS/injection/... evading technique
  - From: Arshan Dabirsiaghi

References:
- [WEB SECURITY] XSS/injection/... evading technique
  - From: Nick Gearls
- Re: [WEB SECURITY] XSS/injection/... evading technique
  - From: Jon McClintock
- Re: [WEB SECURITY] XSS/injection/... evading technique
  - From: Arian J. Evans

Prev by Date: Re: [WEB SECURITY] XSS/injection/... evading technique
Next by Date: Re: [WEB SECURITY] XSS/injection/... evading technique
Previous by thread: Re: [WEB SECURITY] XSS/injection/... evading technique
Next by thread: Re: [WEB SECURITY] XSS/injection/... evading technique
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site