[WEB SECURITY] The Marquee Tag and XSS

Ofer Shezaf ofer at shezaf.com
Tue Jan 13 12:34:26 EST 2009


A recent post in the ModSecurity mailing list
(http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5745)
prompted me to discuss a prevailing misconception regarding XSS protection.
The poster requests a ModSecurity rule to block several HTML tags include
"<li>" and "<marquee>".  However, while commonly associated with XSS those
are HTML tags that are not normally part of an XSS attack. While the HTML
payload, even if not a script, can deface the attacked site, these tags
don't have more of a role in defacement than any other input. Some HTML tags
such as "<div>" may be beneficial to defacement by enabling larger changes
on the defaced page, but "li", "ul" and "marquee" seem pretty harmless to
me.

Saying that, it might be prudent to block any HTML tag as there might be an
XSS attack vector yet unknown that will take advantage of them, but then you
would want to block every HTML tag, not just those listed. Can you block all
HTML tags? Keep in mind that in many applications, mainly interactive ones,
HTML input is valid and useful. If not, you may be able to just block "<"
entirely to gain another layer of security.

"Marquee" is worth a special note: while you can find it sometimes in XSS
vectors posted on the web, it is not part of the attack but rather part of
the demo payload. We often see posted on the web attack vector such as this:

	'">><marquee><h1>XSS</h1></marquee>

The reason is that if the attack succeeds the resulting injected HTML would
scroll. However the keyword "marquee" is immaterial to the attack and would
never be used in a real attack.  I once heard a good story from a pen-tester
that found an XSS bug in an application and to prove it open a dialog saying
"Gotcha!". He presented the results to the organizations and the developers
promised to fix the issue, when he was back a fortnight later to examine the
fix he found out that the developers checked the input for the word
"Gotcha!". Marquee is not much different in this sense than Gotcha!

(blogged: http://blog.xiom.com/signatures-marquee)

~ Ofer

Ofer Shezaf
shezaf at xiom.com, +972-54-4431119

Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel 
Leader, WASC Web Hacking Incidents Database Project





----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list