[WEB SECURITY] The Marquee Tag and XSS
Ofer Shezaf
ofer at shezaf.com
Sun Jan 18 02:00:43 EST 2009
Signatures for web app security are never easy, which is why a regular IPS
or deep packet inspection system is not enough. A web layer intrusion
detection system (which we usually call a WAF), is supposed to help us write
such signatures by decoding the input before matching signatures.
For example, Ivan Ristic reminded me that ModSecurity would handle such a
signature well using the following rule where "expression" is the signature
to match:
SecRule ARGS "expression" phase:2,t:none,t:htmlEntityDecode,t:cssDecode
By the way, can you provide a link to your Bluehat preso? I could not find
it.
~ Ofer
Ofer Shezaf [shezaf at xiom.com, +972-54-4431119, www.xiom.com]
From: gaz Heyes [mailto:gazheyes at gmail.com]
Sent: Thursday, January 15, 2009 5:38 PM
To: Ofer Shezaf
Cc: Ory Segal; WebSecurity
Subject: Re: [WEB SECURITY] The Marquee Tag and XSS
2009/1/14 Ofer Shezaf <ofer at shezaf.com>
Saying that, the way to detect using signatures the attack vector you bring
is using the element vital to the attack: the expression in styles feature
in IE.
Writing a signature for expression is harder than you think. Did anyone see
our bluehat talk :D
Example:-
<div
style=xss:\0065\0078\0070\&#
48072\0065\0073\0073&#
920069\006f\006e\002
8\0077\0069\006e\0
864\006f\0077\002e\&
#48078\003f\0030\003a
\0028\0061\006c\006
5\0072\0074\0028\00
31\0029\002c\0077\0
069\006e\0064\006f&#
920077\002e\0078\003&
#100\0031\0029\0029>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090118/c31c5e93/attachment.html>
More information about the websecurity
mailing list