[WEB SECURITY] Bypassing Security controls using alternate encoding

Jim Manico jim at manico.net
Tue Apr 6 19:11:15 EDT 2010

Forgive this poor segue but....

There is no way* to /filter /user input in a way to project from XSS in 
all HTML display contexts.

XSS is solved from a defensive coding perspective via proper contextual 
output encoding, not validation.

Validation helps reduce the threat surface for individual inputs, don't 
get me wrong - but it's the output encoding technique that is the true 
final layer of defense.

And even worse, there are few ways to stop XSS via automation The 
various "filters" that I have seen from MS and others only stop XSS in 
certain (HTML Body) display contexts. But as soon as a coder renders 
user data in say a JavaScript or CSS variable context, pop goes the XSS. 
The closest I have seen to truly automatic XSS projection is 
which just looks freaking amazing to me. Can't wait for the Java version.

But today, for most Enterprise developers, your XSS Defense Bible is 
. This is a guide to proper contextual XSS output encoding, authored and 
maintained by Jeff Williams.

- Jim

> XSS filters are not the only kiind of filters that can be beaten with 
> the right character sequences
> File upload file/mime type bypass, directory traversal, and command 
> execution are also highly fuzzable using a good list of patterns that 
> have been known to exploit other software, previously, injected into 
> the right place, and the output accurately analyzed. I recently added 
> a bunch of the fuzz patterns I have come up with during testing to the 
> OWASP Fuzzing Code Database
> http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=Statements
> As the list grows, I've been thinking it would be a lot more useful as 
> a SVN repository or something similar, and am suggesting the idea to 
> the project lead. Maybe on google code?
> Adam
> On Tue, Apr 6, 2010 at 6:31 AM, Chintan Dave <davechintan at ymail.com 
> <mailto:davechintan at ymail.com>> wrote:
>     Hi List,
>     I am doing some research on alternate encoding to bypass security
>     controls.
>     Example: A single quote may be filtered, but %27 might get
>     through. Now this is just URL Encoding, I want to understand what
>     all other encoding methods could be used to bypass the filters.
>     There can be multiple ways for encoding the input, Is there any
>     thumb rule to identify - which encoding method to use when?
>     I have little knowledge on encoding and would appreciate pointers
>     for further research on this topic.
>     Thanks,
>     Chintan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100406/5c936899/attachment.html>

More information about the websecurity mailing list