[WEB SECURITY] Question about escaping strings in javascript

Chris Weber (Casaba Security) chris at casabasecurity.com
Sat May 31 23:33:31 EDT 2008


Hi Evert, sounds like Eric set it right as far as whitelisting goes - do
that if you can.  Seems like you're also interested in some other things:

The blacklist would still work for iso-8859-1, although the double byte
sequences would no longer have the same meaning, like \u2029 etc.  As far as
the paragraph and line separators \u2029 and \u2028, I've not found a way to
use them in an exploit (though I'm still looking), although they do seem to
break the rest of the javascript block in all non-IE browsers.  I'll be
keeping track of some upcoming testing I'm doing around this at
http://lookout.net/category/unicode/ 

Chris



-----Original Message-----
From: Evert Pot - Rooftop Solutions [mailto:evertpot at gmail.com] On Behalf Of
Evert | Collab
Sent: Saturday, May 31, 2008 2:39 PM
To: Eric Rachner
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Question about escaping strings in javascript

On 30-May-08, at 6:10 PM, Eric Rachner wrote:

> Hi Evert,
>
> The Right Thing to do is to use a white-listing approach and encode
> *everything* except alphanumerics and a very limited set of characters
> considered safe.
	

Thanks Eric,

You convinced me to go with this whitelest vs. my proposed blacklist  
approach for our own purposes. I can see the point of a much more  
defensive strategy for these type of things.

However, I'm still (for research sake) interested in the  
vulnerabilities out there today, and how one would go about writing  
XSS for some of these lesser known special characters, such as the  
'paragraph separator' and had trouble finding more information about  
this on the web..

So considering my previous questions, with that in mind, do you have  
an idea how I could go about learning more about the current state of  
affairs?

Evert


>
> -----Original Message-----
> From: Evert | Collab [mailto:evert at collab.nl]
> Subject: [WEB SECURITY] Question about escaping strings in javascript
>
> Dear list,
>
> Looking at : http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript
> , they present a list of characters that should always be escaped in
> Javascript. This brings me to a few questions, which I hope some of
> the smart people on this list can answer.
>
> 1. Does this PHP function do its job for escaping javascript:
>
>       static function javascript($string) {
>
>            $replace = array(
>                "\t"       => '\t',
>                "\n"       => '\n',
>                "\r"       => '\r',
>                "\x85"     => '\u0085',
>                "\x20\x28" => '\u2028',
>                "\x20\x29" => '\u2029',
>                "'"        => '\x27',
>                '"'        => '\x22',
>                '\\'       => '\\\\',
>                '&'        => '\x26',
>                '<'        => '\x3c',
>                '>'        => '\x3e',
>                '='        => '\x3d',
>            );
>            return
> str_replace(array_keys($replace),array_values($replace),$string);
>
>        }
>
>
> 2. Does the latter function only work with the output encoding is
> UTF-8, or would it still be applicable to ISO-8859-1. I realize this
> probably isn't usable for UTF-7.
> 3. PHP's built-in function addslashes() only escapes the single quote,
> double quote and null character. Is this not sufficient?
> 4. Assuming question #3 is true, how can \u2028  (line separator),
> \u2029 (paragraph separator) and \u0085 (next line) be used in an
> exploit?
>
> Thanks a lot for your answers, I'm intending to write a article on
> this subject on www.rooftopsolutions.nl, but I want to make sure I got
> my facts straight.
>
> Evert
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> < 
> winmail 
> .dat 
> > 
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list