[WEB SECURITY] Bypassing Security controls using alternate encoding
jim at manico.net
Tue Apr 6 19:11:15 EDT 2010
Forgive this poor segue but....
There is no way* to /filter /user input in a way to project from XSS in
all HTML display contexts.
XSS is solved from a defensive coding perspective via proper contextual
output encoding, not validation.
Validation helps reduce the threat surface for individual inputs, don't
get me wrong - but it's the output encoding technique that is the true
final layer of defense.
And even worse, there are few ways to stop XSS via automation The
various "filters" that I have seen from MS and others only stop XSS in
certain (HTML Body) display contexts. But as soon as a coder renders
The closest I have seen to truly automatic XSS projection is
which just looks freaking amazing to me. Can't wait for the Java version.
But today, for most Enterprise developers, your XSS Defense Bible is
. This is a guide to proper contextual XSS output encoding, authored and
maintained by Jeff Williams.
> XSS filters are not the only kiind of filters that can be beaten with
> the right character sequences
> File upload file/mime type bypass, directory traversal, and command
> execution are also highly fuzzable using a good list of patterns that
> have been known to exploit other software, previously, injected into
> the right place, and the output accurately analyzed. I recently added
> a bunch of the fuzz patterns I have come up with during testing to the
> OWASP Fuzzing Code Database
> As the list grows, I've been thinking it would be a lot more useful as
> a SVN repository or something similar, and am suggesting the idea to
> the project lead. Maybe on google code?
> On Tue, Apr 6, 2010 at 6:31 AM, Chintan Dave <davechintan at ymail.com
> <mailto:davechintan at ymail.com>> wrote:
> Hi List,
> I am doing some research on alternate encoding to bypass security
> Example: A single quote may be filtered, but %27 might get
> through. Now this is just URL Encoding, I want to understand what
> all other encoding methods could be used to bypass the filters.
> There can be multiple ways for encoding the input, Is there any
> thumb rule to identify - which encoding method to use when?
> I have little knowledge on encoding and would appreciate pointers
> for further research on this topic.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity