[WEB SECURITY] WAF XSS Fuzzer?!

Ryan Barnett rcbarnett at gmail.com
Wed Feb 2 17:06:09 EST 2011


On a related note ­ the never ending obfuscation techniques to bypass any
filtering mechanism (WAF or otherwise) lead me to use additional WAF
techniques to help mitigate XSS attacks.  I recently gave my "XSS
Street-Fight" presentation at Blackhat DC
(http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Barnett)
which outlined these items.  The preso slides aren't up on the BH site yet
so I posted them on them here -
http://www.modsecurity.org/documentation/XSS_Street_Fight-Ryan_Barnett-Black
hatDC-2011.pdf

The short of it is that you need to things like -
1. Generic Attack Payload Detection ­ highly obfuscated payloads often have
tell-tail signs that something is abnormal with it.
2. Dynamic Taint Propagation ­ to compare inbound/outbound data to identify
possible areas where the app isn't applying output escaping/encoding of
user­supplied data.
3. Counting the number of iframes/scripts on a page ­ successful XSS attacks
will often result in new tags
4. Adding a JS Sandbox ­ pushing a JS sandbox (like Active Content
Signatures) down to the client so you can combat XSS there.
Anyways ­ this is a topic that we will be discussing at the upcoming OWASP
Summit in Portugal next week. http://www.owasp.org/index.php/Summit_2011
Should be interesting to hash all these concepts out further.

Sorry for the thread hijackŠ

-Ryan


From:  Ryan Dewhurst <ryandewhurst at gmail.com>
Date:  Wed, 2 Feb 2011 21:36:44 +0000
To:  <websecurity at lists.webappsec.org>
Subject:  [WEB SECURITY] WAF XSS Fuzzer?!

> Hi list,
> 
> I was wondering if such a thing existed and if not, would such a thing be
> possible? 
> 
> Or does WAF evasion always need some degree of intelligence to produce a
> viable payload?
> 
> I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
> Application Obfuscation book as a starting point.
> 
> Thanks,
> Ryan
> 
> Ryan Dewhurst
> 
> blog www.ethicalhack3r.co.uk <http://www.ethicalhack3r.co.uk>
> projects www.dvwa.co.uk <http://www.dvwa.co.uk>  | www.webwordcount.com
> <http://www.webwordcount.com>
> twitter www.twitter.com/ethicalhack3r <http://www.twitter.com/ethicalhack3r>
> _______________________________________________ The Web Security Mailing List
> WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
> LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
> http://twitter.com/wascupdates websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110202/f2b0ecc8/attachment-0003.html>


More information about the websecurity mailing list