[WEB SECURITY] The Marquee Tag and XSS

Bill Pennington bill at whitehatsec.com
Tue Jan 13 13:01:50 EST 2009


People frequently block the strings we use for testing and leave  
everything else open, that is a lot of fun to explain.

However I am all for anything that prevents the further spread of the  
marquee tag. :-)

---
Bill Pennington
SVP Services
WhiteHat Security Inc.
http://www.whitehatsec.com

On Jan 13, 2009, at 9:34 AM, Ofer Shezaf wrote:

> A recent post in the ModSecurity mailing list
> (http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5745)
> prompted me to discuss a prevailing misconception regarding XSS  
> protection.
> The poster requests a ModSecurity rule to block several HTML tags  
> include
> "<li>" and "<marquee>".  However, while commonly associated with XSS  
> those
> are HTML tags that are not normally part of an XSS attack. While the  
> HTML
> payload, even if not a script, can deface the attacked site, these  
> tags
> don't have more of a role in defacement than any other input. Some  
> HTML tags
> such as "<div>" may be beneficial to defacement by enabling larger  
> changes
> on the defaced page, but "li", "ul" and "marquee" seem pretty  
> harmless to
> me.
>
> Saying that, it might be prudent to block any HTML tag as there  
> might be an
> XSS attack vector yet unknown that will take advantage of them, but  
> then you
> would want to block every HTML tag, not just those listed. Can you  
> block all
> HTML tags? Keep in mind that in many applications, mainly  
> interactive ones,
> HTML input is valid and useful. If not, you may be able to just  
> block "<"
> entirely to gain another layer of security.
>
> "Marquee" is worth a special note: while you can find it sometimes  
> in XSS
> vectors posted on the web, it is not part of the attack but rather  
> part of
> the demo payload. We often see posted on the web attack vector such  
> as this:
>
> 	'">><marquee><h1>XSS</h1></marquee>
>
> The reason is that if the attack succeeds the resulting injected  
> HTML would
> scroll. However the keyword "marquee" is immaterial to the attack  
> and would
> never be used in a real attack.  I once heard a good story from a  
> pen-tester
> that found an XSS bug in an application and to prove it open a  
> dialog saying
> "Gotcha!". He presented the results to the organizations and the  
> developers
> promised to fix the issue, when he was back a fortnight later to  
> examine the
> fix he found out that the developers checked the input for the word
> "Gotcha!". Marquee is not much different in this sense than Gotcha!
>
> (blogged: http://blog.xiom.com/signatures-marquee)
>
> ~ Ofer
>
> Ofer Shezaf
> shezaf at xiom.com, +972-54-4431119
>
> Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
> Chairman, OWASP Israel
> Leader, WASC Web Hacking Incidents Database Project
>
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list