[WEB SECURITY] The Marquee Tag and XSS

Rafal Los rafal at ishackingyou.com
Tue Jan 13 13:48:18 EST 2009


Bill,
  You can't imagine how many times this happens.  Actually, I just looked at your job title, I'm sure you know maybe even better than I :)  If I had a quarter (nay, a penny) for every developer who has asked me for a "list of patterns we have to block" I would be a rich man.  Perhaps we don't focus enough on that in our literature and education campaigns?


 Rafal (Ralph) M. Los
Security & IT Risk Strategist
 - Blog:    http://preachsecurity.blogspot.com
 - LinkedIn: http://www.linkedin.com/in/rmlos




> From: bill at whitehatsec.com
> To: websecurity at webappsec.org
> Date: Tue, 13 Jan 2009 10:01:50 -0800
> Subject: Re: [WEB SECURITY] The Marquee Tag and XSS
> 
> People frequently block the strings we use for testing and leave  
> everything else open, that is a lot of fun to explain.
> 
> However I am all for anything that prevents the further spread of the  
> marquee tag. :-)
> 
> ---
> Bill Pennington
> SVP Services
> WhiteHat Security Inc.
> http://www.whitehatsec.com
> 
> On Jan 13, 2009, at 9:34 AM, Ofer Shezaf wrote:
> 
> > A recent post in the ModSecurity mailing list
> > (http://permalink.gmane.org/gmane.comp.apache.mod-security.user/5745)
> > prompted me to discuss a prevailing misconception regarding XSS  
> > protection.
> > The poster requests a ModSecurity rule to block several HTML tags  
> > include
> > "<li>" and "<marquee>".  However, while commonly associated with XSS  
> > those
> > are HTML tags that are not normally part of an XSS attack. While the  
> > HTML
> > payload, even if not a script, can deface the attacked site, these  
> > tags
> > don't have more of a role in defacement than any other input. Some  
> > HTML tags
> > such as "<div>" may be beneficial to defacement by enabling larger  
> > changes
> > on the defaced page, but "li", "ul" and "marquee" seem pretty  
> > harmless to
> > me.
> >
> > Saying that, it might be prudent to block any HTML tag as there  
> > might be an
> > XSS attack vector yet unknown that will take advantage of them, but  
> > then you
> > would want to block every HTML tag, not just those listed. Can you  
> > block all
> > HTML tags? Keep in mind that in many applications, mainly  
> > interactive ones,
> > HTML input is valid and useful. If not, you may be able to just  
> > block "<"
> > entirely to gain another layer of security.
> >
> > "Marquee" is worth a special note: while you can find it sometimes  
> > in XSS
> > vectors posted on the web, it is not part of the attack but rather  
> > part of
> > the demo payload. We often see posted on the web attack vector such  
> > as this:
> >
> > 	'">><marquee><h1>XSS</h1></marquee>
> >
> > The reason is that if the attack succeeds the resulting injected  
> > HTML would
> > scroll. However the keyword "marquee" is immaterial to the attack  
> > and would
> > never be used in a real attack.  I once heard a good story from a  
> > pen-tester
> > that found an XSS bug in an application and to prove it open a  
> > dialog saying
> > "Gotcha!". He presented the results to the organizations and the  
> > developers
> > promised to fix the issue, when he was back a fortnight later to  
> > examine the
> > fix he found out that the developers checked the input for the word
> > "Gotcha!". Marquee is not much different in this sense than Gotcha!
> >
> > (blogged: http://blog.xiom.com/signatures-marquee)
> >
> > ~ Ofer
> >
> > Ofer Shezaf
> > shezaf at xiom.com, +972-54-4431119
> >
> > Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
> > Chairman, OWASP Israel
> > Leader, WASC Web Hacking Incidents Database Project
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 

_________________________________________________________________
Windows Live™: Keep your life in sync. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090113/8232bdfc/attachment.html>


More information about the websecurity mailing list