[WEB SECURITY] Whiltelist vs Blacklist for International (Unicode) characters
HASEGAWA Yosuke
yosuke.hasegawa at gmail.com
Fri Dec 5 22:20:44 EST 2008
Hi, lists.
I'd just spoken about this kind of issues at Black Hat Japan.
Maybe, my presentation file helps you.
http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Hasegawa/BlackHat-japan-08-Hasegawa-Char-Encoding.pdf
Of course, whitelist makes more secure better than blacklist.
However, that way takes too much a cost practically.
The method protect against XSS with MBCS attacking I recommend is following:
1. You should perform Escaping at output to HTML, not input validation.
2. Convert character encoding of text due to output into UTF-16 / UTF-8 or so
for normalize and eliminate broken byte sequence.
3. Specify the charset clearly at HTTP response header.
If you would just comply above, you can prevent from most of XSS using MBCS.
--
HASEGAWA Yosuke
yosuke.hasegawa at gmail.com
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list