[WEB SECURITY] Bypassing Security controls using alternate encoding

Jim Manico jim at manico.net
Tue Apr 6 19:11:15 EDT 2010 

Forgive this poor segue but....

There is no way* to /filter /user input in a way to project from XSS in 
all HTML display contexts.

XSS is solved from a defensive coding perspective via proper contextual 
output encoding, not validation.

Validation helps reduce the threat surface for individual inputs, don't 
get me wrong - but it's the output encoding technique that is the true 
final layer of defense.

And even worse, there are few ways to stop XSS via automation The 
various "filters" that I have seen from MS and others only stop XSS in 
certain (HTML Body) display contexts. But as soon as a coder renders 
user data in say a JavaScript or CSS variable context, pop goes the XSS. 
The closest I have seen to truly automatic XSS projection is 
http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html 
which just looks freaking amazing to me. Can't wait for the Java version.

But today, for most Enterprise developers, your XSS Defense Bible is 
here: 
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 
<http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet> 
. This is a guide to proper contextual XSS output encoding, authored and 
maintained by Jeff Williams.

- Jim

> XSS filters are not the only kiind of filters that can be beaten with 
> the right character sequences
>
> File upload file/mime type bypass, directory traversal, and command 
> execution are also highly fuzzable using a good list of patterns that 
> have been known to exploit other software, previously, injected into 
> the right place, and the output accurately analyzed. I recently added 
> a bunch of the fuzz patterns I have come up with during testing to the 
> OWASP Fuzzing Code Database
>
> http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=Statements
>
> As the list grows, I've been thinking it would be a lot more useful as 
> a SVN repository or something similar, and am suggesting the idea to 
> the project lead. Maybe on google code?
>
> Adam
>
> On Tue, Apr 6, 2010 at 6:31 AM, Chintan Dave <davechintan at ymail.com 
> <mailto:davechintan at ymail.com>> wrote:
>
>     Hi List,
>
>     I am doing some research on alternate encoding to bypass security
>     controls.
>
>     Example: A single quote may be filtered, but %27 might get
>     through. Now this is just URL Encoding, I want to understand what
>     all other encoding methods could be used to bypass the filters.
>
>     There can be multiple ways for encoding the input, Is there any
>     thumb rule to identify - which encoding method to use when?
>
>     I have little knowledge on encoding and would appreciate pointers
>     for further research on this topic.
>
>     Thanks,
>     Chintan
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100406/5c936899/attachment.html>

More information about the websecurity mailing list