Full Disclosure mailing list archives
RE: logically stopping xss
From: "Justin Shin" <zorkshin () tampabay rr com>
Date: Wed, 23 Jul 2003 00:34:24 -0400
Hmmm ... disabling the <>'" characters completely ... not good, considering that many users may need to use a PHP webmail form with quotes. < is the same thing as <, right, so if a kiddie wanted to exploit with XSS, he could simply use <SCRIPT> , etc. no??? -- Justin Shin -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of KF Sent: Tuesday, July 22, 2003 11:55 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] logically stopping xss some random text about mod_security I forget where it came from maybe a security focus article... *Defending against CSS and SQL Injection attacks* The last step of securing the server is implementing the logging of the GET and POST payloads, and implementing protection against Cross-Site-Scripting and SQL Injection attacks. In order to perform that, we will use the mod_security module, which we enable by adding the following line into httpd.conf: AddModule mod_security.c To enable logging of the GET and POST requests, it suffices to add the following section to httpd.conf: <IfModule mod_security.c> AddHandler application/x-httpd-php .php SecAuditEngine On SecAuditLog logs/audit_log SecFilterScanPOST On SecFilterEngine On </IfModule> The above commands will enable the Audit Engine, which is responsible for logging requests, and the Filtering POST Engine, which will make it possible to log POST requests. In order to protect web application against CSS attacks, the following lines should also be inserted before "</IfModule>": SecFilterDefaultAction "deny,log,status:500" SecFilter "<(.|\n)+>" The first line causes that the server to return the "Internal Server Error" message when the request contains the search phrase from any SecFilter variable. The second line sets up the filter to search for HTML tags in the GET and POST requests. One of the typical signatures of SQL Injection attack is the appearance of an apostrophe (') or quotation mark (") in the GET or POST request. By rejecting all the requests containing those characters, we can make the use of SQL Injection technique very difficult: SecFilter "'" SecFilter "\"" Note, that although filtering the <, >, ', " characters lets us defend against CSS and SQL Injection attacks, it can lead to the improper functioning of the PHP application. It happens, because regular users cannot use those characters in the HTML forms. To solve that problem, the JavaScript language can be used on the client side, which should replace the prohibited characters with special tags, e.g. < > " etc. -KF Justin Shin wrote:
see theres a gazillion xss "exploits" just sitting out there that no-one knows of, and no admin can keep up with all the new "exploits" for xss. I am just looking for suggestions, that's all. I swear, when I said was stupid, I didn't mean I was THAT stupid :) -- Justin Shin -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Tuesday, July 22, 2003 11:05 PM To: Justin Shin Cc: Full-Disclosure () Lists Netsys Com Subject: Re: [Full-disclosure] logically stopping xss On Tue, 22 Jul 2003 21:33:00 EDT, Justin Shin <zorkshin () tampabay rr com> said:i know there's a lot of stupid jokes about XSS vulns right now, but I was wondering if there is any firewall or IDS software that can look for suspicious GET requests ... ie.GET /vulnerablewebapp/?<XSS SHZNIT>I'm sure there's a program out there ... and I'm stupid, please don't kill meSNORT comes with a pretty long list.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss Edstrom Johan (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss KF (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss petard (Jul 22)
- <Possible follow-ups>
- RE: logically stopping xss Marc Ruef (Jul 23)
- RE: logically stopping xss Schmehl, Paul L (Jul 23)