Full Disclosure mailing list archives

Re: [anti-XSS]about CERT/CC:malicious_code_mitigation

From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Aug 2004 13:29:15 -0400

On Sat, 07 Aug 2004 06:25:00 -0000, bitlance winter said:

#! The first function takes the negative approach.
#! Use a list of bad characters to filter the data
sub FilterNeg {
    local( $fd ) = @_;
    $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
    return( $fd ) ;
}


*BZZT!!* Wrong.  Don't do this in production code, because...

I have understood that bad characters are
< > " ' % ; ) ( & +


If it turns out that * (asterisk) is a "bad character", you're screwed.

If it turns out that *any other* character is "bad", you're screwed.

The *proper* way to do the filtering is to *remove* *all* characters
not known to be good.  Something like:

$fd =~ s/[^-_ a-zA-Z0-9]//g;

Only pass alphabetic, numeric, space, hyphen, and underscore.  Add other
characters *only* if you can show they are *not* a problem.

Attachment: _bin
Description:

Current thread:

[anti-XSS]about CERT/CC:malicious_code_mitigation bitlance winter (Aug 07)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
  - Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
    - Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
    - Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
    - Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Dave Horsfall (Aug 10)
    - Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 10)
- <Possible follow-ups>
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation auto269562 (Aug 10)