[WEB SECURITY] The future of XSS attacks

MaXe owasp at intern0t.net
Sat Jan 23 08:19:37 EST 2010


MustLive wrote:
> Hello participants of Mailing List.
>
> Yesterday I wrote English version of my article The future of XSS attacks
> (http://websecurity.com.ua/3878/), which you can read if you
> interested in
> this topic.
>
> In the article I talked about Cross-Site Scripting attacks where it’s
> not possible to use any tags and angle brackets. I listed attack
> vectors which can be used in this case (automated and non-automated).
> And wrote about current situation with modern browsers: in 2008 in
> Firefox 3 possibility of attack via -moz-binding was removed (partly)
> and in IE 8, which released at beginning of 2009, support of
> expression() was removed.
>
> So I proposed my cross-browser solution for conducting of automated XSS
> attacks in such conditions (when it’s not possible to use any tags and
> angle
> brackets) - with using of MouseOverJacking technique, which I already
> wrote
> about (http://websecurity.com.ua/3814/).
>
> You can read the article The future of XSS attacks at my site:
> http://websecurity.com.ua/3878/
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> ----------------------------------------------------------------------------
>
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
Hi MustLive,


I've replied to your blog about "MouseOverJacking" (fancy) and The
Future of XSS Attacks.

In the following reply examples of code was filtered away: (text inside
hard brackets [] were filtered away)
"In cases where [ <script> ] has only been “blocked” by f.ex.
preg_replace (seen in many cases), [ <img src="x:x" onerror="alert(0)"
/> ] is just one of my favorite working examples of getting an alert box
still."

Instead of filtering / removing tages like you do on your website, using
htmlspecialchars($var) or htmlentities($var, ENT_QUOTES) is most likely
a better implementation against Cross-Site Scripting (if it is used
correct) since it will also be easier to write code examples like I
tried to. At www.php.net you can read more what the above functions do,
in short they convert html characters to their html entitiy, " becomes
f.ex. " which can't be used for Cross Site Scripting in this case.

The problem where the error / vulnerability lies are the users
(humanoids) including developers. Websites are built by humanoids and
they are exploited by humanoids due to nothing can be created 100% and
neither 100% secure, however it is possible to follow "best coding
practice" which I endorse you to do as well.


Best regards,
MaXe - Founder of InterN0T

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list