Re: logically stopping xss

[Valdis.Kletnieks () vt edu]

On Tue, 22 Jul 2003 23:10:12 EDT, Justin Shin said:

> see theres a gazillion xss "exploits" just sitting out there that no-one
> knows of, and no admin can keep up with all the new "exploits" for xss. I am
> just looking for suggestions, that's all. I swear, when I said was stupid, I
> didn't mean I was THAT stupid :)

Oh.. *suggestions*.. That's different. ;)

If you're looking for XSS, start by finding a form that the user fills in
themselves. Then see if that data can be found on some OTHER page.  The only
two parts missing then are (a) improper filtering before redisplay and (b)
getting a victim to visit the other page. ;)

Unlike virus/malware detectors that can look for things like nop sleds, there's
no really general way to filter for XSS, since the whole trick is to pass
*legal* structures to the victim and have them interpreted in incorrect
contexts.  Quite often, the attack is a "recombinant DNA" type, where you're
providing fragments in several pieces all of which *looked* legal separately
(like one MUA that had an issue displaying a *series* of messages, each of
which had a small chunk of javascript in the Subject: line... Ouch ;)

You might want to get hold of a copy of Hofstaeder's "Godel Escher Bach" - once
you read and understand the chapter on quining,  knowing what signs of an XSS
problem to look for will be a lot easier.  The rest of the book is a worthwhile
read too - you'll learn a lot about exactly why scanners like SNORT can't be
100% right, and a lot less painfully than the Theory of Computation classwork
version. ;)

Attachment: _bin
Description: