|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh
thathost.com)Date: Mon Oct 29 2001 - 13:23:21 CST
| Example - An application does not accept HTML as input and wants
| to prevent Cross Site Scripting (See OWASP-IV-CSS-1). If the
| application strips < and >, then no HTML tags will be
| accepted. However the malicious user could uses the URL encoded
| equivilents %3C and %3E to bypass the input filter. HTML aware
| applications often strip out <script> but don't correctly handle
| %3Cscript%3E.
I'm not quite sure I understand this example:
* If a bad guy passes %3C in a URL, the %3C will be mapped
to < by the web server before the string is sent to the web
application. The application won't see the %3C.
* If the user enters %3C in a way that makes the web application
receive it, eg. by sending %253C in a URL, the application will
generate web pages with eg. "%3Cscript%3E" in it, which won't be
interpreted as a script tag by any browser I know of.
The only way this may represent a problem, is if the application first
validates the input (looks for < >), and _then_ performs a URL decode
itself. And why would it do that?
Please correct me if I am wrong.
Sverre.
-- shh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]