[WEB SECURITY] The Marquee Tag and XSS
gazheyes at gmail.com
Sun Jan 18 09:41:05 EST 2009
2009/1/18 Ofer Shezaf <ofer at shezaf.com>
> Signatures for web app security are never easy, which is why a regular IPS
> or deep packet inspection system is not enough. A web layer intrusion
> detection system (which we usually call a WAF), is supposed to help us write
> such signatures by decoding the input before matching signatures.
Yep totally agree
> For example, Ivan Ristic reminded me that ModSecurity would handle such a
> signature well using the following rule where "expression" is the signature
> to match:
> SecRule ARGS "expression" phase:2,t:none,t:htmlEntityDecode,t:cssDecode
Cool will that also handle backslash escapes?
> By the way, can you provide a link to your Bluehat preso? I could not find
It was a joint presentation with Eduardo and David. Check out his CSS
attribute reader btw
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity