[WEB SECURITY] The Marquee Tag and XSS

gaz Heyes gazheyes at gmail.com
Sun Jan 18 09:41:05 EST 2009


2009/1/18 Ofer Shezaf <ofer at shezaf.com>

>
>
> Signatures for web app security are never easy, which is why a regular IPS
> or deep packet inspection system is not enough. A web layer intrusion
> detection system (which we usually call a WAF), is supposed to help us write
> such signatures by decoding the input before matching signatures.
>

Yep totally agree

>
> For example, Ivan Ristic reminded me that ModSecurity would handle such a
> signature well using the following rule where "expression" is the signature
> to match:
>
>
>
> SecRule ARGS "expression" phase:2,t:none,t:htmlEntityDecode,t:cssDecode
>

Cool will that also handle backslash escapes?


> By the way, can you provide a link to your Bluehat preso? I could not find
> it.
>
It was a joint presentation with Eduardo and David. Check out his CSS
attribute reader btw
http://www.thespanner.co.uk/2008/10/20/bluehat/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090118/88d1bbec/attachment.html>


More information about the websecurity mailing list