[WEB SECURITY] The Marquee Tag and XSS

Ofer Shezaf ofer at shezaf.com
Sun Jan 18 02:00:43 EST 2009


 

Signatures for web app security are never easy, which is why a regular IPS
or deep packet inspection system is not enough. A web layer intrusion
detection system (which we usually call a WAF), is supposed to help us write
such signatures by decoding the input before matching signatures.

 

For example, Ivan Ristic reminded me that ModSecurity would handle such a
signature well using the following rule where "expression" is the signature
to match:

 

SecRule ARGS "expression" phase:2,t:none,t:htmlEntityDecode,t:cssDecode

 

By the way, can you provide a link to your Bluehat preso? I could not find
it.

 

~ Ofer

 

Ofer Shezaf [shezaf at xiom.com, +972-54-4431119, www.xiom.com]

 

From: gaz Heyes [mailto:gazheyes at gmail.com] 
Sent: Thursday, January 15, 2009 5:38 PM
To: Ofer Shezaf
Cc: Ory Segal; WebSecurity
Subject: Re: [WEB SECURITY] The Marquee Tag and XSS

 

 

2009/1/14 Ofer Shezaf <ofer at shezaf.com>

Saying that, the way to detect using signatures the attack vector you bring
is using the element vital to the attack: the expression in styles feature
in IE.


Writing a signature for expression is harder than you think. Did anyone see
our bluehat talk :D

Example:-
<div
style=xss:&#92&#48&#48&#54&#53&#92&#48&#48&#55&#56&#92&#48&#48&#55&#48&#92&#
48&#48&#55&#50&#92&#48&#48&#54&#53&#92&#48&#48&#55&#51&#92&#48&#48&#55&#51&#
92&#48&#48&#54&#57&#92&#48&#48&#54&#102&#92&#48&#48&#54&#101&#92&#48&#48&#50
&#56&#92&#48&#48&#55&#55&#92&#48&#48&#54&#57&#92&#48&#48&#54&#101&#92&#48&#4
8&#54&#52&#92&#48&#48&#54&#102&#92&#48&#48&#55&#55&#92&#48&#48&#50&#101&#92&
#48&#48&#55&#56&#92&#48&#48&#51&#102&#92&#48&#48&#51&#48&#92&#48&#48&#51&#97
&#92&#48&#48&#50&#56&#92&#48&#48&#54&#49&#92&#48&#48&#54&#99&#92&#48&#48&#54
&#53&#92&#48&#48&#55&#50&#92&#48&#48&#55&#52&#92&#48&#48&#50&#56&#92&#48&#48
&#51&#49&#92&#48&#48&#50&#57&#92&#48&#48&#50&#99&#92&#48&#48&#55&#55&#92&#48
&#48&#54&#57&#92&#48&#48&#54&#101&#92&#48&#48&#54&#52&#92&#48&#48&#54&#102&#
92&#48&#48&#55&#55&#92&#48&#48&#50&#101&#92&#48&#48&#55&#56&#92&#48&#48&#51&
#100&#92&#48&#48&#51&#49&#92&#48&#48&#50&#57&#92&#48&#48&#50&#57> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090118/c31c5e93/attachment.html>


More information about the websecurity mailing list