[WEB SECURITY] How to Prevent XSS evasion attack ?

RSnake rsnake at shocking.com
Fri Dec 2 14:14:07 EST 2005


Hello, TAEHEUN, that is my page (http://ha.ckers.org/xss.html) that you
are refering to.  No, that is not an effective filter.  Firstly it is
only relevant to variables (and not cookie manipulation or other forms
of getting XSS on a page).  Secondly that regex is basically saying:

Equals followed by a < followed by one or more non newlines, followed by
a close >.  Here's a simple way around that - just don't include a close
angle bracket.

If you do a half open attack like the following:

query=%3CIMG%20SRC="javascript:alert('XSS')"

it will get interpreted as:

<IMG SRC="javascript:alert('XSS')"

and if the next tag on the page is something like:

<table>

you'll be left with:

<IMG SRC="javascript:alert('XSS')" <table>

The first part "<table" will be ignored by the browser and the following
">" will close the tag and render the vector in IE and Netscape 8.0 on
trusted site setting  I'm also skeptical of things that say "non
newline" as newlines are valid chars inside HTML, so I think that would
also allow the vector but it depends on where and how it's implemented
and how it interprets a newline.  Also, this doesn't stop UTF-7 encoded
attacks, DOM based attacks that don't need angle brackets and as a side
note this will stop a lot more than just XSS, it will stop all HTML from
getting on the page, which might be more than some people want.  Hope
that helps.

-RSnake

On Fri, 2 Dec 2005, TAEHEUN LEE wrote:

> somebody tell me following....
>
> ** XSS evasion attack*
> <a href="javascript#[code]">
> -<div onmouseover="[code]">
> -<img src="javascript:[code]">
> -<xml src="javascript:[code]">
> ...
> ...
>
> ** Regular Expression for XSS evasion attack*
> /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)
>
> *this is perfect ??
>
> *Reference Document :*
> *www.blackhat.com/presentations/
> bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt
>
>
> TAEHEUN LEE ¾´ ±Û:
>
>> Hi List..
>>
>> i wonder how to prevent XSS evasion attack at WAF (Negative Security
>> Model) ?
>>
>> 1. registers all signature ?
>> 2. embody in regular expression ?
>>
>> *please.. can you tell me what is your solution ??*
>>
>> * normal XSS
>> <SCRIPT>alert("XSS")</SCRIPT>
>> <IMG SRC="javascript:alert('XSS');">
>> <IMG SRC=javascript:alert('XSS')>
>>
>> * evasion XSS
>> <IMG SRC=JaVaScRiPt:alert('XSS')>
>> <IMG SRC=javascript:alert("XSS")>
>> <IMG SRC="jav&#x0D;ascript:alert('XSS');">
>> <IMG SRC="  javascript:alert('XSS');">
>> <IMG
>> SRC=javascript:alert('XSS')>
>> <IMG
>> SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
>> anything else...
>>
>>
>> Reference Site
>> http://ha.ckers.org/xss.html
-------------- next part --------------
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


More information about the websecurity mailing list