[WEB SECURITY] The future of XSS attacks

Schmidt, Chris cschmidt at servicemagic.com
Mon Jan 25 01:22:09 EST 2010


I would like to take this opportunity to point everyone at the latest installment of ESAPI4JS along with some reference material on using it, specifically using it to mitigate DOM Based XSS attacks (without relying on browser plugins)

http://yet-another-dev.blogspot.com/2010/01/esapi4js-v013-now-available.html

The changelog for 0.1.3 follows:

version 0.1.3 (01/23/2010)

General
More updates to distribution
Cleaned up subversion repository
Updated subversion to allow online testing

Validation
Implemented i18n support for error messaging

Logging
Fixed overwrite bug in Logging configuration

Internationalization
Created ObjectResourceBundle?
Moved messaging to a external resource file
Add configuration options to ESAPI Config

HTTPUtils
Implemented Cookie-Jar Management
Implemented function to get parameters from a GET request

~ beef



-----Original Message-----
From: MaXe [mailto:owasp at intern0t.net]
Sent: Sat 1/23/2010 6:19 AM
To: MustLive
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] The future of XSS attacks
 
MustLive wrote:
> Hello participants of Mailing List.
>
> Yesterday I wrote English version of my article The future of XSS attacks
> (http://websecurity.com.ua/3878/), which you can read if you
> interested in
> this topic.
>
> In the article I talked about Cross-Site Scripting attacks where it's
> not possible to use any tags and angle brackets. I listed attack
> vectors which can be used in this case (automated and non-automated).
> And wrote about current situation with modern browsers: in 2008 in
> Firefox 3 possibility of attack via -moz-binding was removed (partly)
> and in IE 8, which released at beginning of 2009, support of
> expression() was removed.
>
> So I proposed my cross-browser solution for conducting of automated XSS
> attacks in such conditions (when it's not possible to use any tags and
> angle
> brackets) - with using of MouseOverJacking technique, which I already
> wrote
> about (http://websecurity.com.ua/3814/).
>
> You can read the article The future of XSS attacks at my site:
> http://websecurity.com.ua/3878/
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> ----------------------------------------------------------------------------
>
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
Hi MustLive,


I've replied to your blog about "MouseOverJacking" (fancy) and The
Future of XSS Attacks.

In the following reply examples of code was filtered away: (text inside
hard brackets [] were filtered away)
"In cases where [ <script> ] has only been "blocked" by f.ex.
preg_replace (seen in many cases), [ <img src="x:x" onerror="alert(0)"
/> ] is just one of my favorite working examples of getting an alert box
still."

Instead of filtering / removing tages like you do on your website, using
htmlspecialchars($var) or htmlentities($var, ENT_QUOTES) is most likely
a better implementation against Cross-Site Scripting (if it is used
correct) since it will also be easier to write code examples like I
tried to. At www.php.net you can read more what the above functions do,
in short they convert html characters to their html entitiy, " becomes
f.ex. " which can't be used for Cross Site Scripting in this case.

The problem where the error / vulnerability lies are the users
(humanoids) including developers. Websites are built by humanoids and
they are exploited by humanoids due to nothing can be created 100% and
neither 100% secure, however it is possible to follow "best coding
practice" which I endorse you to do as well.


Best regards,
MaXe - Founder of InterN0T

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100124/30b31061/attachment.html>


More information about the websecurity mailing list