Full Disclosure mailing list archives
[anti-XSS]about CERT/CC:malicious_code_mitigation
From: "bitlance winter" <bitlance_3 () hotmail com>
Date: Sat, 07 Aug 2004 06:25:00 +0000
Hello LIST. It is my sad story. I feel that there is the necessity for to learn about XSS. I must learn about malicious content mitigation. Again and again I have read the advisory, "[CERT/CC] Understanding Malicious Content Mitigation for Web Developers". The advisory is here. http://www.cert.org/tech_tips/malicious_code_mitigation.html. First, I read the "Sample Filtering Code". and the "Identifying the Special Characters". http://www.cert.org/tech_tips/malicious_code_mitigation.html#8 http://www.cert.org/tech_tips/malicious_code_mitigation.html#4 There is a Perl Example. ===quoted begin=== #! The first function takes the negative approach. #! Use a list of bad characters to filter the data sub FilterNeg { local( $fd ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g; return( $fd ) ; } ===SNIP=== $Data = "This is a test string<script>"; $Data = &FilterNeg( $Data ); print "$Data\n"; ===quoted end=== I have understood that bad characters are < > " ' % ; ) ( & + Again, I read the section, "Identifying the Special Characters". http://www.cert.org/tech_tips/malicious_code_mitigation.html#4 ===quoted begin=== Within the body of a <SCRIPT> </SCRIPT> The semicolon, parenthesis, curly braces, and new line should be filtered in situations where text could be inserted directly into a preexisting script tag. ===quoted end=== I think that this is a important point, when user's input text could be inserted into a script tag. I have rewrote the Perl example named "FilterNeg". I have to add the filterling rule. ===begin=== # ----------------- # FilterNeg # http://www.cert.org/tech_tips/malicious_code_mitigation.html # The first function takes the negative approach. # Use a list of bad characters to filter the data # < > " ' % ; ) ( & + # filter out { } [ ] \r \n # filter out javascript: vbscript: ../ # sub FilterNeg { local( $fd ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+\}\{\]\[\r\n]//g; while ($fd =~ /\.{2,}\/|javascript:|vbscript:/i) { $fd =~ s/\.{2,}\///g; $fd =~ s/javascript://gi; $fd =~ s/vbscript://gi; } return( $fd ) ; } ====end==== It does in this way. It finished at last. I have made one Perl script. Please checkout. ===begin=== #!/usr/bin/perl # please set this CGI name (example: cert.cgi) # to $cginame $cginame = "cert.cgi"; if($ENV{'REQUEST_METHOD'} eq 'POST'){ #reads inputted variables through POST read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); } else{ #reads inputted variables through GET $buffer = $ENV{'QUERY_STRING'}; } #splits the variables at & @pairs = split(/&/, $buffer); foreach $pair (@pairs) { #sets the value and name of each var ($name, $value) = split(/=/, $pair); #makes each + into a space $value =~ tr/+/ /; #URL decode $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; #filter out bad characters < > " ' % ; ) ( & + #filter out { } [ ] \r \n #filter out javascript: vbscript: ../ $value = &FilterNeg( $value ); #sets the varibles in a hash $FORM{$name} = $value; } #print html . print "Set-Cookie: id=sample\; "; print "expires=Mon, 01-May-2055 12:00:00 GMT;\n"; print "Content-Type: text/html\n"; print "\n"; print "\n\n"; print "<scr"; print "ipt>\n"; print "try\n"; print "{\n"; print " if (window.self == window.top)\n"; print " window.location.replace( \"$FORM{'Redirect'}\" )\n"; print "}\n"; print "catch(e){}\n"; print "</scr"; print "ipt>\n\n"; print "<html><head><title>$cginame</title></head>\n"; print "<body>\n"; print "<h2>TITLE</h2>\n"; print "<p>messages.</p>\n"; print "<a href=\"/\">HOME</a><br>\n"; print "<a href=\"javascript:document.cookie\">cookie</a><br>\n"; print "</body></html>"; exit; # ----------------- # FilterNeg # http://www.cert.org/tech_tips/malicious_code_mitigation.html # The first function takes the negative approach. # Use a list of bad characters to filter the data # < > " ' % ; ) ( & + # filter out { } [ ] \r \n # filter out javascript: vbscript: ../ # sub FilterNeg { local( $fd ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+\}\{\]\[\r\n]//g; while ($fd =~ /\.{2,}\/|javascript:|vbscript:/i) { $fd =~ s/\.{2,}\///g; $fd =~ s/javascript://gi; $fd =~ s/vbscript://gi; } return( $fd ) ; } ====end==== I have checked this script, for example, http://mysite.tld/cert.cgi?Redirect=http://www.example.com/ http://mysite.tld/cert.cgi?Redirect=./somefile That is Good. (Tested on InternetExplorer,Opera,Firefox,etc.) And I have checked XSS issues. Now I am sad. I have found a XSS issue. It is not good. Example URL: http://mysite.tld/cert.cgi? Redirect=%5C152avascript:alert%5C50document.cookie%5C51 === again CERT/CC advisory === Within the body of a <SCRIPT> </SCRIPT> The semicolon, parenthesis, curly braces, and new line should be filtered in situations where text could be inserted directly into a preexisting script tag. === end ====================== Please teach me truth. Thank you for your reading this mail. Best Regards. -- bitalance _________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [anti-XSS]about CERT/CC:malicious_code_mitigation bitlance winter (Aug 07)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Dave Horsfall (Aug 10)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 10)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation dd (Aug 09)
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation Valdis . Kletnieks (Aug 09)
- <Possible follow-ups>
- Re: [anti-XSS]about CERT/CC:malicious_code_mitigation auto269562 (Aug 10)