WebApp Sec mailing list archives
Re: [WEB SECURITY] How to Prevent XSS evasion attack ?
From: RSnake <rsnake () shocking com>
Date: Fri, 2 Dec 2005 11:14:07 -0800 (PST)
Hello, TAEHEUN, that is my page (http://ha.ckers.org/xss.html) that you are refering to. No, that is not an effective filter. Firstly it is only relevant to variables (and not cookie manipulation or other forms of getting XSS on a page). Secondly that regex is basically saying: Equals followed by a < followed by one or more non newlines, followed by a close >. Here's a simple way around that - just don't include a close angle bracket. If you do a half open attack like the following: query=%3CIMG%20SRC="javascript:alert('XSS')" it will get interpreted as: <IMG SRC="javascript:alert('XSS')" and if the next tag on the page is something like: <table> you'll be left with: <IMG SRC="javascript:alert('XSS')" <table> The first part "<table" will be ignored by the browser and the following ">" will close the tag and render the vector in IE and Netscape 8.0 on trusted site setting I'm also skeptical of things that say "non newline" as newlines are valid chars inside HTML, so I think that would also allow the vector but it depends on where and how it's implemented and how it interprets a newline. Also, this doesn't stop UTF-7 encoded attacks, DOM based attacks that don't need angle brackets and as a side note this will stop a lot more than just XSS, it will stop all HTML from getting on the page, which might be more than some people want. Hope that helps. -RSnake On Fri, 2 Dec 2005, TAEHEUN LEE wrote:
somebody tell me following.... ** XSS evasion attack* <a href="javascript#[code]"> -<div onmouseover="[code]"> -<img src="javascript:[code]"> -<xml src="javascript:[code]"> ... ... ** Regular Expression for XSS evasion attack* /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>) *this is perfect ?? *Reference Document :* *www.blackhat.com/presentations/ bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt TAEHEUN LEE ?? ??:Hi List.. i wonder how to prevent XSS evasion attack at WAF (Negative Security Model) ? 1. registers all signature ? 2. embody in regular expression ? *please.. can you tell me what is your solution ??* * normal XSS <SCRIPT>alert("XSS")</SCRIPT> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> * evasion XSS <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert("XSS")> <IMG SRC="jav
ascript:alert('XSS');"> <IMG SRC="  javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert('XSS')> anything else... Reference Site http://ha.ckers.org/xss.html
Current thread:
- Re: [WEB SECURITY] How to Prevent XSS evasion attack ? RSnake (Dec 02)