[WEB SECURITY] The Marquee Tag and XSS

gaz Heyes gazheyes at gmail.com
Sun Jan 18 09:41:05 EST 2009

2009/1/18 Ofer Shezaf <ofer at shezaf.com>

> Signatures for web app security are never easy, which is why a regular IPS
> or deep packet inspection system is not enough. A web layer intrusion
> detection system (which we usually call a WAF), is supposed to help us write
> such signatures by decoding the input before matching signatures.

Yep totally agree

> For example, Ivan Ristic reminded me that ModSecurity would handle such a
> signature well using the following rule where "expression" is the signature
> to match:
> SecRule ARGS "expression" phase:2,t:none,t:htmlEntityDecode,t:cssDecode

Cool will that also handle backslash escapes?

> By the way, can you provide a link to your Bluehat preso? I could not find
> it.
It was a joint presentation with Eduardo and David. Check out his CSS
attribute reader btw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090118/88d1bbec/attachment.html>

More information about the websecurity mailing list