OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jeff Hunsaker (jeffhunsakerhotmail.com)
Date: Mon Feb 04 2002 - 09:57:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Under IIS/ASP, the Server.HTMLEncode() method encodes characters
    automatically but I usually use regular expressions coded for specific
    inputs to check anything sent to the server.

    Jeff...

    ----Original Message Follows----
    From: "HarryM" <harrymthe-group.org>
    To: <webappsecsecurityfocus.com>, "Lincoln Yeoh" <lyeohpop.jaring.my>
    Subject: Re: Webappsec FAQ?
    Date: Mon, 4 Feb 2002 06:06:29 -0000

    Someone determined and knowledgeable will always find a way, however, you
    can do a lot by filtering out things like <object>, <embed>, <applet> and of
    course <script>. You can also do other things if you want to use Regex...
    like filtering out anything matching <*on*> and <* javascript *>. Not sure
    if things like <*vb*>
      would be relevent but it would be worth looking into. Probably the
    simplest
    and most effective strategy would be to str_replace all the output varaibles
    to convert < to &lt; and > to &gt;. That will defeat the vast majority of
    malicious scripting attacks, although there are probably ways to get around
    that too - especilly if your scripts convert unicode or hex into ascii, or
    something like that. There are so many permutations for things like this
    that it's impossible to get them all, but you can do a lot.

    HTH

    Harry M

    ----- Original Message -----
    From: "Lincoln Yeoh" <lyeohpop.jaring.my>
    To: <webappsecsecurityfocus.com>
    Sent: Monday, February 04, 2002 4:54 AM
    Subject: Webappsec FAQ?

    > Hi,
    >
    > Where can I find the webappsec FAQ?
    >
    > I'm trying to figure out how best to filter out javascript (and other
    > active content) on my webapps when displaying HTML from nontrusted
    sources
    > (e.g. email, users etc). There seem to be thousands of ways to smuggle
    > javascript in html. Is it even possible to create such a filter?
    >
    > No I don't want to resort to an exploit that will turn off javascript
    etc,
    > on the user's browser.
    >
    > If only browser manufacturers would create a tag for "active content
    > disabled from now on, renenabled by this passcode: ab412f83d921dc389".
    But
    > I suppose they won't be able to do that properly either ;).
    >
    > Thanks,
    > Link.
    >

    Jeff Hunsaker
    JeffHunsakerhotmail.com

    _________________________________________________________________
    Send and receive Hotmail on your mobile device: http://mobile.msn.com