Arian J. Evans arian.evans at anachronic.com
Thu Feb 3 15:58:01 EST 2011

Awesome that someone put a book together on this subject; long
overdue. I didn't know there were others as geeked out on
canonicalization as you and I were, and the guys over at Depth

FYI WhiteHat Sentinel has been testing for a large number of these
"filter evasion"/canonicalization issues for 4+ years now. I published
stats about their frequency of occurrence a few years ago at BlackHat.
That was from a fairly small sample of applications compared to what
we work with today though, so it's probably time to take a look at
those numbers again.

What we find time and time again is that most of the obscure "filter
evasion" techniques tend to succeed as edge-cases. But there are a
heck of a lot of edge-cases out there. Some other observations about
these type of filter-evasion/canonicalization issues:

1) hard for static automation to identify
2) often emergent behaviors, results of disparate code bases and/or
interactions with app/web server product configurations
3) often only show up at runtime in Production, usually because of a
relationship in item #2
4) often only in isolated parts of larger applications (again, see #2)
so spot-checking applications doesn't help. Need better automated
levers to cover all inputs, and find the edge-cases.

We have also worked fairly closely with several Web App Firewall
vendors integrating Sentinel, and sharing information with them about
these types of filter evasions. However, WAF vendors have a tough time
of it. Customers will tolerate false-negatives over false-positives.
Good or bad, that's just how the world works. Filtering on these types
of data constructs has an unfortunate tendency to generate false
positives - especially on internationlized websites using multiple
code pages/encoding formats. Likewise, remediation is often as
challenging for the developer to understand as mitigation. Tricky

Also, I know IBM Appscan has implemented some degree of tests
targeting these issues as well. I have not seen the other mainstream
webapp scanners perform any depth of testing here (they might, but I
haven't seen it in their test injections nor results). However - the
biggest problems the appsec scanning industry is facing today involves
scaling, and false-positives rates. Improved filter-evasion just isn't
a primary problem (yet) IMHO.

Interesting times. The appsec industry, the customer base, and the
technologies are all evolving rapidly today. The next 5 years in
appsec should be much more exciting than the last 5 years.

Keep up the excellent work, Chris (I'm assuming x5s is your project).

Arian Evans

On Thu, Feb 3, 2011 at 9:43 AM, Chris Weber <chris at casabasecurity.com> wrote:
> x5s tests for encoding issues that lead to XSS by using what could be
> qualified as some obfuscation techniques.  It’s not doing all of the
> obfuscation techniques you’d find in the new book
> http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049/.
> It’s more focused on charset and Unicode such as overlong utf-8, Unicode
> characters that normalize and best-fit map to lower range ASCII.  It also
> does injects straight up ASCII probes.  We have a new version with much
> better approach awaiting some beta testing if you’re interested let me know.
> http://xss.codeplex.com
> -CWeber
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Ryan Dewhurst
> Sent: Wednesday, February 02, 2011 1:37 PM
> To: websecurity at lists.webappsec.org
> Subject: [WEB SECURITY] WAF XSS Fuzzer?!
> Hi list,
> I was wondering if such a thing existed and if not, would such a thing be
> possible?
> Or does WAF evasion always need some degree of intelligence to produce a
> viable payload?
> I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
> Application Obfuscation book as a starting point.
> Thanks,
> Ryan
> Ryan Dewhurst
> blog www.ethicalhack3r.co.uk
> projects www.dvwa.co.uk | www.webwordcount.com
> twitter www.twitter.com/ethicalhack3r
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list