Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: "Yet another html filter" (allowHTML)
Posted by: sjdev86
Date: February 20, 2010 06:40PM

The shorthand lists in antisamy are now allowed for (eg. background can take on background-image values as well). A couple of very minor issues encountered so far (the default rules not allowing everything I would have expected), but it is a very small minority:

AllOWED

<div style="background:url(test.png);">test</div>

NOT ALLOWED

<div style="background:url('test.png');">test</div>
<div style="background:#FFF url(test.png);">test</div>



Edited 1 time(s). Last edit at 02/20/2010 06:42PM by sjdev86.

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: Gareth Heyes
Date: March 02, 2010 02:34PM

Nice design, I've checked out the code too and it's much better. Tried a few things and it seemed to catch them. The <a href> check seems a bit weak though I almost able to sneak a vector through.

Good work! I'll keep my eye on this one. BTW I like the fact you use type hinting! Wish more devs did this

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sjdev86
Date: March 02, 2010 03:23PM

I'd literally just sat down to work on the url filtering (I wasn't happy with using a single regex for them, so decided to bypass the anti-samy rule), when I saw some new entries coming through in the demo logs - I thought it might be you. ;)

I've made some small updates as a result (good timing on your part) and will test the new entries against the default regex as well for comparison.

I have found type-hinting to be increasinly useful as time has gone by.



Edited 1 time(s). Last edit at 03/02/2010 03:24PM by sjdev86.

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sirdarckcat
Date: April 08, 2010 01:42AM

nice try, good luck next time

<div style="xss=\000065xpression(confirm(1))!: url('xD');">hola</div>

greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sirdarckcat
Date: April 08, 2010 01:45AM

btw, thanks guys.. theres a new filter and noone told me :(

background:url(/*this-is-a-comment-on-IE);background-image:url(still-a-comment*/);

CSS is not easy dude :P

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 04/08/2010 02:15AM by sirdarckcat.

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: Gareth Heyes
Date: April 08, 2010 06:40AM

@sirdarckcat

Nice ones :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sjdev86
Date: April 19, 2010 02:21PM

@sirdarckcat - better you didn't come across it too early, fewer holes to pick!

I think we can safely say that better character checking of style property names is needed (whitelist now in place) to guard against #1. Blacklisting style comments is all I can imagine for #2.



Edited 1 time(s). Last edit at 04/19/2010 04:13PM by sjdev86.

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sirdarckcat
Date: April 22, 2010 08:21AM

Lots of bypasses by a couple of friends and users of another forum!
https://foro.elhacker.net/nivel_web/cyh_bypass_de_filtros_de_xss-t289955.0.html

They are fixed now, but I dont think it's very safe atm..

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: "Yet another html filter" (allowHTML)
Posted by: sjdev86
Date: April 23, 2010 12:02PM

@sirdarckcat - thanks, I spotted some of those vectors coming through recently. I didn't realise that php's DOMDocument automatically placed cdata tags in between script / style tags (which caused malicious html coming afterwards to be allowed through).

I need to go over that in more detail (since the fix I've implemented is crude). I'm certainly not going to claim it's "safe" in its current form. The only aim is to keep improving it, based on the feedback / attacks from you guys!



Edited 1 time(s). Last edit at 04/23/2010 12:04PM by sjdev86.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.