|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: whitelisting HTML tags
From: RSnake (rsnake
shocking.com)
Date: Wed Nov 02 2005 - 11:05:43 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Allowing src in images doesn't prevent all types XSS, as you can have it
point to a valid looking .jpg or .gif like http://somwhere.com/xss.jpg
with an HTaccess file like:
Redirect 302 /xss.jpg http://victimsite.com/admin.asp&deleteuser
Or you can set up an alias to have it point to a cgi script that has
more intelligence (if you're coming up with the idea to go and validate
if it is a real image file). If you haven't yet, please check out my
XSS page for lots of ways around common filters, like the one below:
http://ha.ckers.org/xss.html
On Wed, 2 Nov 2005, Jeff Robertson wrote:
> This is exactly the sort of thing I'm looking for. Anyone know of any
> libraries (preferably in Java) that already do this?
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
>> -----Original Message-----
>> From: Sverre H. Huseby [mailto:shhthathost.com]
>> Sent: Wednesday, November 02, 2005 10:52
>> To: Jeff Robertson
>> Cc: 'webappsecsecurityfocus.com'
>> Subject: Re: whitelisting HTML tags
>>
>>
>> [Jeff Robertson]
>>
>> | I need to tell my development to limit the HTML tags allowed in
>> | input to a subset that can't be used for XSS. Any guidelines for
>> | this?
>>
>> You need three levels of whitelisting:
>>
>> * For allowed _tags_
>>
>> * For allowed _attributes_ for the allowed tags (separate attribute
>> whitelist for each tag)
>>
>> To avoid e.g. onload, onclick and stuff
>>
>> If you allow an "img" tag, you could allow the "src" and "alt"
>> attributes, and discard the rest.
>>
>> * For allowed _attribute_values_ for the allowed attributes
>>
>> To avoid e.g. href="javascript:..."
>>
>> You would allow src="http:..." and src="ftp:", and discard the
>> rest.
>>
>>
>> Sverre.
>>
>> --
>> shhthathost.com My web security book: Innocent Code
>> http://shh.thathost.com/ http://innocentcode.thathost.com/
>>
>
-R
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]